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1 Introduction 


Our past work in the formalization and verification of fault- tolerant systems 
has consisted of three tasks: 

1. The formal design and verification of a circuit that achieves Byzantine 
agreement among four synchronous processors [1]; 

2. The mechanical verification of the Interactive Convergence clock syn- 
chronization algorithm [9]; 

3. The formalization of the Biphase Mark protocol for asynchronous com- 
munication [7]. 

The purpose of the present task, Task 4, is to investigate the integration of 
these previous efforts in the design of an asynchronous Byzantine-resilient 
computing system. The ultimate goal is a formally verified gate-level imple- 
mentation. 

The design of a hardware circuit that achieves asynchronous communica- 
tion is necessarily contingent on an underlying model of hardware behavior. 
Any attempt to devise such a circuit in the abstract, without first establish- 
ing a suitable model, would be a largely wasted effort. Thus, a prerequisite 
for the realization of our goal is the selection of a formal hardware description 
language (HDL), along with an underlying behavioral model. 

Our previous research in hardware modeling and verification has been 
based on an HDL developed at CLI by Brock and Hunt [5j. The utility of the 
Brock-Hunt HDL as a verification tool, as demonstrated in the verification 
of the FM9001 microprocessor [4], stems from the simplicity of its semantics. 
All circuits designed in this language are assumed to be driven by an implicit 
global clock. Simulation of a circuit amounts to a computation of a sequence 
of states corresponding to clock cycles. Thus, no explicit representation of 
time or propagation delays is provided, so that the class of circuits that can 
be satisfactorily modeled is limited. In particular, the language is unsuitable 
for any application involving asynchrony. 

Commercial event-driven simulation languages provide for a broader range 
of hardware behaviors. VHDL [7] in particular has gained wide acceptance 
in the hardware design community as a validation tool. Since the limitations 
of simulation as a method of validation are well known, a formal verification 
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system based on VHDL would have clear practical value. Unfortunately, like 
most programming languages in common use, VHDL was not intended as 
an object of reason. Inevitably, its semantics are complicated and obscure. 
Various attempts to formalize VHDL [2,6] have encountered severe difficulty 
and show limited promise of short-term success. 

We have undertaken, therefore, to develop a new formal HDL with the 
intended application of verifiable asynchronous communication. This paper 
is a report on the progress of this endeavor. Our primary objective is to 
formalize the event-based behavioral model of VHDL while retaining the 
semantic clarity of the Brock- Hunt HDL. Thus, we would like to inherit the 
proof methodology developed by Brock and Hunt, including 

• abstract descriptions of (acyclic) combinational circuits in terms of 
Boolean functions; 

• abstract state machine descriptions of sequential devices; 

• hierarchical design and verification of complex circuits. 

At the same time, our language should provide for 

• faithful implementation of the VHDL notions of time and propagation 
delay; 

• gate-level construction of sequential devices by means of feedback loops, 
e.g., flip-flops implemented by cross-coupled nand gates; 

• modeling of asynchronous communication. 

Following [5], we have developed our language within the logical frame- 
work of the Nqthm system of Boyer and Moore [3]. Its simulator (operational) 
semantics are expressed by a recursive function SIM, defined in the Nqthm 
logic. The two principal arguments of this function are a hardware module 
to be simulated and a list of waveforms corresponding to the module’s input 
signals, representing the values of those signals as functions of time. The 
value returned by SIM is a list of waveforms corresponding to the module’s 
output signals, produced by propagating the input values according to the 
structure of the module. 

In Section 2, we describe our formal notion of time, the structure of 
waveforms, and the propagation of signal values. In addition to the two 
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conventional VHDL delay modes, transport and inertial , we define a nonde- 
terministic mode, which subsumes the other two and provides a scheme for 
concise behavioral descriptions of combinational circuits. We also introduce 
the notion of an indefinite or partially specified waveform, which is critical 
to the subsequent development as it provides for the simulation of abstract 
modules with partially defined behaviors. 

In Section 3, we discuss our representation of hardware modules as Nqthm 
constants. The behaviors of combinational, sequential, and structural circuits 
are defined by means of a STEP function, for which we provide an axiomatic 
characterization. The top-level simulator function SIM is defined recursively 
in terms of STEP, as described in Section 4. The simulator is complicated 
considerably by the possible presence of delta delays, which represent zero- 
delay devices as prescribed in the VHDL standard [7]. In conformance with 
commercial VHDL simulators, in order to guarantee that simulation termi- 
nates, an extra argument is passed to SIM, representing a uniform bound on 
the lengths of all zero-delay paths within a circuit. Related constraints are 
also imposed on the input waveforms to a module. 

Our approach to circuit verification is based on formal notions of module 
specification and implementation , as presented in Section 5. Here, we also 
describe procedures that automatically derive abstract combinational and se- 
quential behavioral modules that serve as specifications for circuits of certain 
types. Once a behavioral module has been proved to be a specification of 
a circuit, it may be substituted for any instances of the circuit that occur 
as components of any larger circuit without affecting its functionality. This 
principle is the key to hierarchical circuit analysis. 

Included in the text are informal statements of some general theorems 
that are relevant to the verification of circuits defined in our system. The 
proofs of most of these theorems remain to be checked mechanically, and 
this work will be a significant portion of the Task 5 effort. The function 
definitions that compose the simulator, on the other hand, have all been 
formally accepted by the Nqthm prover, and appear in complete form in an 
appendix. 
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2 Signals 

2.1 Time 

We define a time to be an ordered pair of natural numbers, as recognized by 
the predicate TIMEP (see the appendix for the definition of this and all other 
functions referenced herein). The set of all such pairs is ordered lexicograph- 
ically, Thus, the time origin, the least element of this set, is the pair 1 (0 . 
0 ). 

The first component of a time represents the number of time units, which 
we arbitrarily take to be picoseconds, that have elapsed since the start of 
a simulation. The second component, which we call the delta component, 
is required in order to allow zero-delay events. It represents the number of 
successive zero-delay events that have been scheduled during the current time 
unit. 

The time for which an event is scheduled is computed from the current 
time tO and a given propagation delay by the function TPLUS. If the delay is 
0, then the value returned is the result of incrementing the second component 
of tO by 1; otherwise the delay is added to the first component of tO and the 
second component is set to 0. 

2.2 Waveforms 

A waveform is a function that assigns a value to every time. In our formal- 
ization, we represent a waveform as an association list. Each pair in this list 
consists of a value and a time at which that value was or is to be assumed 
by the signal with which the waveform is associated. These pairs, which are 
called events, are listed in decreasing order with respect to time. The time 
of the earliest event in any waveform is ' (0 . 0). 

There is no restriction on the values that may be assumed by a signal. We 
adopt the convention of using the the symbols ’T and ’F to represent high 
and low signal values, respectively. The value ’X is special — it represents an 
unknown value. Any value other than ’ X is said to be definite. A definite 
waveform is one that never assumes the value ?X.A value vl generalizes a 
value v2 if either vl = v2 or vl = 'X. A waveform wl generalizes a waveform 
w2 if for every time t, the value of wl at t generalizes the value of w2 at t. Note 
that the set of all waveforms is a lower semi-lattice under this relation. This 
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means that any two waveforms have a greatest lower bound, i.e., a common 
generalization that is generalized by any other common generalization. The 
set also has a least element with respect to this ordering, which we call the 
null waveform , namely the waveform ' ( (X . (0 . 0) ) ) , which assigns the 

value ’X to every time. 

A list of waveforms is called a packet. The lattice structure is extended 
in the obvious manner to the set of all packets of any fixed length. Thus, 
one packet is said to generalize another if the relation holds between corre- 
sponding waveforms. 

2.3 Propagation 

The functions POST-INERTIAL-EVENT-DEFINITE and POST-TRANSPORT-EVENT- 
DEFINITE implement inertial and transport delay, as defined in the VHDL 
standard[5]. Each of these functions takes as arguments a waveform w, a 
value v, and a time tl at which v is to be scheduled on w. POST- INERTIAL- 
EVENT-DEFINITE takes as an additional argument the current time tO, which 
must precede tl. (The effect of scheduling an event with transport delay is 
independent of the current time.) The value returned by either function is 
the appropriately modified waveform. 

However, the correctness of these functions depends on the assumption 
that both v and w axe definite. If we allow either argument to be indefinite, 
then the more general functions POST- INERTIAL-EVENT and POST-TRANSPORT- 
EVENT must be used. While the recursive definitions of these functions are 
quite complicated, they may be described informally but precisely as follows: 

For any waveform w, any v, and any times tO < tl < t2, the value 
of (POST-INERTIAL-EVENT w v tO tl t2) is the greatest lower 
bound of the set of all waveforms of the form (POST- INERTIAL- 
EVENT-DEFINITE w' v‘ tO t’), where w’ is generalized by w, v’ 
is generalized by v, and tl < t' < tl. 

For any waveform w, any v, and any times tO < tl < t2, the value 
of (POST-TRANSPORT- EVENT w v tO tl t2) is the greatest lower 
bound of the set of all waveforms of the form (POST- TRANSPORT- 
EVENT-DEFINITE w’ v’ t'), where w’ is generalized by w, v is 
generalized by v, and tl < t' < tl. 
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These are the two functions that are actually called by our simulator 
to schedule events for signals with inertial and transport delay, respectively. 
Note that in addition to accepting an indefinite value and an indefinite initial 
waveform, they also accept a range of possible times instead of a definite time 
for the scheduling of the event. In order to schedule an event for a definite 
time t, the appropriate function is called with t2 = tl = t. 

We also introduce a third mode of propagation delay, called nondetermin- 
istic delay, which is implemented by the function POST-NONDETERMINISTIC- 
EVENT. The behavior of this function may be described as follows: 

Given any waveform w, any v, and any times tO < tl < t2, let 
tmin be the minimum of tl and the times of any events scheduled 
on w after tO. (POST-NONDETERMINISTIC-EVENT w v tO tl t2) 
is the waveform whose value at any time t is 

(a) the value of w at t, if t < tmin; 

(b) 'X, if tmin < t < t2; 

(c) v, if t2 < t. 

This delay mode is not actually exhibited by any primitive devices, but 
turns out to be useful in the behavioral specification of complex circuits. 
Its utility, as we shall see in Section 5, stems from the observation that it 
subsumes both inertial and transport modes in the sense that the wave- 
form (POST-NONDETERMINISTIC-EVENT w v tO tl t2) is a generalization of 
both (POST- INERTIAL- EVENT w v tO tl t2) and (POST- TRANSPORT-EVENT 
w v tO tl t2). 

3 Modules 

Our simulator accepts three types of modules: combinational, sequential, and 
structural. A combinational or sequential module is also called behavioral A 
structured module represents a circuit constructed from behavioral modules. 
Associated with a module of any type are a fixed number of inputs and a 
fixed number of outputs. 

We define an input packet (resp., output packet) for a given module to be 
a list of waveforms whose length is the number of its inputs (resp., outputs). 
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The behavior of a behavioral module is characterized by a function STEP of 
four arguments: (1) a module mod, (2) an input packet inp, whose length 
is the number of inputs of mod, (3) an output packet outp, whose length 
is the number of outputs of mod, and (4) a time t. The value returned by 
STEP is the result of updating outp by executing any events in inp that are 
scheduled for time t. This function is defined so as to exhibit the following 
critical properties: 

1. Monotonic: if inpl and outpl generalize inp2 and outp2, respec- 
tively, then (STEP mod inpl outpl t) generalizes (STEP mod inp2 
outp2 t). 

2. Nonpredictive: If inpl and inp2 have the same values at all times 
that are not later than t, then (STEP mod inpl outp t) = (STEP 
mod inp2 outp t). Thus, the past and projected future behavior of a 
module is independent of its future input. 

3. Nonretroactive: The values of the updated packet (STEP mod inp 
outp t) at any time no later than t are the same as those of outp. 
Thus, the past behavior of a module is immutable. 


3.1 Combinational Modules 

The simplest modules are combinational. They consist of four components: 
(1) a list of symbols representing input signals; (2) a list of output forms, 
which express the values of the output signals in terms of the values of the 
input signals; (3) a delay mode corresponding to each output signal; and 
(4) a delay range, represented as a pair of numbers, corresponding to each 
output signal. A combinational module is primitive if all of its delay modes 
are inertial or transport and all of its delay ranges are intervals of length 
0. As an example of a primitive module, we define a nand gate as follows: 


(DEFN NAND () 

'(COMBINATIONAL ;type 

(A B) ; inputs 

((M-NAND A B)) ; outputs 

(INERTIAL) ; modes 

((2000 . 2000)))) jdelays 


7 


This module has two inputs and a single output with a fixed inertial delay 
of 2000 picoseconds. (Note that a fixed delay is represented as a degenerate 
range.) 

Output forms must be defined in terms of monotonic functions, in order 
to conform to the monotonicity requirement for our STEP function. Thus, 
the function M-NAND, which is used to compute the output of our nand gate, 
is defined by 

(DEFN M-NAND (A B) 

(IF (EQUAL A ’F) >T 
(IF (EQUAL B »F) ‘T 

(IF (AND (EQUAL A »T) (EQUAL B 'T)) 'F 
J X)))) 

Monotonic versions of other Boolean functions (M-NOT, M-OR, etc.) are defined 
similarly. 

Execution of (STEP mod inp outp t) for a combinational module mod 
amounts to updating each waveform in the packet outp by means of a call to 
the appropriate event-posting function, using the value computed from the 
corresponding output form and the current input values at time t. Thus, for 
combinational modules, the nonpredictive property of STEP may be strength- 
ened as follows: If inpl and inp2 have the same values at time t, then (STEP 
mod inpl outp t) = (STEP mod inp2 outp t). 

3.2 Sequential Modules 

A sequential module consists of ten components: (1) a list of input signals; 
(2) a list of output forms; (3) a list of delay modes; (4) a list of delay ranges; 
(5) a trigger, which may be either POSITIVE-EDGE or NEGATIVE-EDGE; (6) a 
list of symbols, called state variables ; (7) a list of forms for computing values 
of state variables in terms of their previous values and the values of the 
inputs; (8) a minimum admissible clock period; (9) a list of setup times, 
corresponding to the inputs; and (10) a list of hold times, corresponding to 
the inputs. The first four of these components have the same form as the 
components of a combinational module, except that the variables occurring 
in the output forms are state variables rather than input signals. Also, a 
sequential module is required to have at least one input, the first of which is 
always interpreted as the clock input. 
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A simple example of a positive-edge-triggered sequential module is the 
following: 


(DEFN D-FLIP-FLOP () 

» (SEQUENTIAL 
(CLK D) 

(q (M-NOT Q)) 
(INERTIAL INERTIAL) 
((4000 . 6000) 

(4000 . 6000)) 
POSITIVE-EDGE 

(Q) 

(D) 

12000 

(6000 4000) 

(6000 4000))) 


;type 
; inputs 
; outputs 
jmodes 
; delays 

; trigger 
; state variable 
; state form 
; period 
; setups 
; holds 


This module has two inputs: the clock input 'CLK and a data input ’ D. It 
has a single state variable, ' Q, the value of which is computed simply 35 the 
value of 'D, and two outputs, both with inertial delay, whose values are those 
of *Q and its negation. 

A setup time is given for each input. (In the above example the setups 
6000 and 4000 correspond to the inputs 1 CLK and ’ D, respectively.) Each of 
these represents the minimum period during which the corresponding input 
is required to remain constant immediately before a triggering edge, when 
the value of the clock input changes from low to high (i.e., from ’ F to ’T) 
for a positive-edge-triggered device, or from high to low for a negative-edge- 
triggered device. Thus, the first setup, corresponding to the clock input 
itself, is the parameter that is conventionally called the clock low (in the 
positive-edge case) or clock high (in the negative-edge case). 

Similarly, each hold time represents the minimum period during which 
the corresponding input is required to remain constant immediately after a 
triggering edge; the hold time for the first input is conventionally called the 
clock high or low, in the positive- and negative-edge cases, respectively. 

The minimum clock period is the minimum required elapsed time between 
successive triggering edges. In the above example, the minimum period of 
12000 happens to coincide with the sum of the clock high and low times, but 
this need not be the case (see Subsection 5.2). 
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For a sequential module mod, the computation of (STEP mod inp outp 
t) involves the computation of the state of mod at time t as determined by 
inp. This state is an assignment of values to the state variables of mod. It is 
a recursive function of t, behaving as follows: The state of mod at time ’ (0 
. 0) is the null state, which assigns the value ’X to each state variable. As 

long as the inputs are well-behaved, the state changes only when a triggering 
edge occurs, at which time a new state is computed from the state forms, 
using the previous state values and the current input values. On the other 
hand, if at any time any input changes in violation of a setup or hold time, 
then the state becomes null. 

Execution of (STEP mod inp outp t) for a sequential mod is the same 
as for a combinational module, except that the values that are posted on the 
output waveforms depend on both the current input values and the current 
state, where the latter in turn must be computed from the input history. 

As an example, we shall trace the behavior of the state variable ’ Q of the 
D-flip-flop in response to a sample input packet. For the clock waveform, 
we take the following well-behaved clock pulse wl, which exhibits a regular 
period of 20000 over the interval from ’ (0 . 0) to ’ (110000 . 0): 

> ((F . (110000 . 0)) (T . (100000 . 0)) 

(F . (90000 . 0)) (T . (80000 . 0)) 

(F . (70000 . 0)) (T . (60000 . 0)) 

(F . (50000 . 0)) (T . (40000 . 0)) 

(F . (30000 . 0)) (T . (20000 . 0)) 

(F . (10000 . 0)) (T . (0 . 0))) 

For the data input, we take the following waveform w2: 

» ( (T . (59000 . 0)) (F . (30000 . 0)) (T . (0 . 0))). 

Thus, the value of the input signal ’D is ’F on the (half-open) interval from 
1 (30000 . 0) to ’ (59000 . 0) and »T at all other times. The value of ’Q, 

which is initially 'X, becomes >T at the first positive-edge (at time ' (20000 
. 0)). Since the value of ’D changes to ’ F at time ’(30000 . 0), this 

becomes the new value of » Q at the next triggering edge (at ’ (40000 . 0) ). 

The ’D value changes again at ’ (59000 . 0), but at the following edge (at 

» (60000 . 0)), the 'D setup time is violated, so ’Q becomes 'X. This state 

persists until the next edge (at ’ (80000 . 0)), when the final value »T is 

assumed. 
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3.3 Structural Modules 

A structural module has five components: 

(1) a list of global input signal names; 

(2) a list of submodules, which may be of any type, including the structured 

type; 

(3) corresponding to each submodule, a list of output signal names; 

(4) corresponding to each submodule, a list of input signal names, each of 
which is either an output of some submodule or a global input; 

(5) a list of global output signal names, each of which is an output of some 
submodule. 

Structural modules may be conveniently defined by means of the DEFCIR- 
CUIT macro. For example, the following represents a D-flip-flop constructed 
by cross-coupling nand gates (where the module NAND3 is a 3-input nand gate 
with a definition similar to that of NAND), as shown if Figure 1: 

(DEFCIRCUIT D-WITH-NANDS 
(CLK D) ; inputs 
(Q QN) ; outputs 
C(NAND) (B2 Bl) (Al)) 

((NAND) (Al CLK) (Bl)) 

( (NAND3) (Bl CLK B2) (A2)) 

((NAND) (A2 D) (B2)) 

((NAND) (Bl QN) (Q)) 

((NAND) (Q A2) (QN))) 

Aside from simple syntactic requirements for the lists of input and output 
signals, there is only one restriction on the structure of a circuit: we allow 
no zero-delay cycles. (For a formal statement of this restriction, see the 
definition of DELTA-ACYCLIC.) The purpose of this restriction is to guarantee 
that the simulation of a structural module always terminates. 

The STEP function is defined so that it accepts structural as well as be- 
havioral modules as its first argument mod. if mod is structural, however, the 
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Figure 1: D-flip-flop 
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third argument is more complicated. In general, instead of a simple wave 
packet, the expected argument is an object called a bundle for mod. This 
notion is defined recursively as follows: if mod is a behavioral module, then 
a bundle for mod is just an output packet for mod; if mod is structural, then 
a bundle for mod is a list consisting of a bundle for each of its submodules. 
Thus, a bundle for mod is a list structure consisting of a waveform correspond- 
ing to each of the signals produced by mod. In particular, a bundle for mod 
always determines an output packet for mod, namely, the list of waveforms 
that correspond to the output signals of mod. 

The STEP function is also defined recursively according to the structure 
of mod: if inp is an input packet and bun is a bundle for a structural module 
mod, then (STEP mod inp bun t) is the bundle for mod whose i th member is 
(STEP modi inp, bun, t), where 

(a) modi is the i th submodule of mod, 

(b) inp, is a list of the waveforms corresponding to the input signals to 
modi, extracted from inp and bun through analysis of mod, and 

(c) buni is the i th member of bun. 

4 Simulation 
4.1 The Function SIM 

SIM is a function of four arguments: (1) a module mod, (2) a packet inp of 
waveforms corresponding to the module’s inputs, (3) a time tf at which the 
simulation is to terminate, and (4) a bound d on the delta components of 
all event times. The returned value is a packet of output waveforms that is 
produced by simulating the module over the time interval from the origin 
• (0 . 0) to time tf . 

In order to describe this process more precisely, let ti, t 2 , . . . ,t n be the 
increasing sequence of all times between ' (0 . 0) = tj and tf = t n that 

have delta components not exceeding d. The computation of (SIM mod inp 
tf d) involves a call to STEP corresponding to each of these times: Let 
buno, the initial bundle for the simulation, be the bundle for mod in which 
every waveform has the constant value ’X (i.e, every waveform is the alist 
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» C (x . (0 . 0)))). For i = 1, . . . ,n, let bun, be the value of (STEP mod 

inp bun<_i tj. The value of (SIM mod inp tf d) is the output packet 
determined by the bundle bun„. 

4.2 Delta Constraints 

Note that the delta bound d is required to reduce the set of times within 
a given interval to a finite set, and thus to guarantee termination of the 
recursive function SIM. In order to produce the intended behavior of this 
function, we must impose constraints on its arguments that ensure that the 
times of all scheduled events have delta components bounded by d. 

This will require several definitions. First, we shall say that a waveform w 
is bounded by d if no event time occurring in v has delta component exceeding 
d. Next, we define the level of a signal in a circuit to be the maximum of 
the lengths of till zero-delay paths through the circuit starting at the given 
signed. A waveform w is admissible for a signal s with respect to d if l < d 
and w is bounded by d — t, where i is the level of s. A bundle, or similarly, an 
input packet, for mod is admissible with respect to d if each of its waveforms 
is admissible for the signal with which it is associated. 

Finally, we may state the following important result: If inp and bun are an 
admissible input packet and an admissible bundle for mod wrt d, respectively, 
then (STEP mod inp bun t) is an admissible bundle for mod wrt d. It follows 
that if inp is an admissible input packet for mod wrt d, then for any time t, 
every waveform in the bundle (SIM mod inp t d) is bounded by d. 

It should be noted that our primary motivation for including delta delays 
in our language, in spite of the inherent complications described above, is a 
commitment to adhere to the VHDL delay model. All of the modules that we 
have defined in this language, including all of the examples presented herein, 
exhibit only positive delays. Thus, for our purposes, we may always take the 
d parameter of SIM to be 0, and need never deal with times with nonzero 
delta components. 

4.3 Efficient Execution 

The definition of the function SIM, as described at the beginning of this 
section, is designed to be as theoretically simple as possible. Its execution, 
on the other hand, is impractical for two reasons: 
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1. Every call to STEP for a sequential module requires complete calculation 
of the module’s state from its input packet. 

2. STEP is called at every legal time during the simulation interval, al- 
though it has no effect at times when no events are scheduled. 

For the purpose of execution, therefore, we have defined a more efficient func- 
tion, FAST-SIM, which may be shown to be equivalent to SIM. This efficiency is 
achieved by eliminating both aspects of the redundancy noted above. Firstly, 
it is defined in terms of a function FAST-STEP, which records the states of 
sequential modules, so that at each step, a state need only be updated rather 
than entirely recomputed. Secondly, FAST-SIM is truly event-driven: it calls 
FAST-STEP only at times when a relevant event Is scheduled. 

As an illustration, let us consider a call to SIM with the following argu- 
ments: (l)the sequential module D-FLIP-FLOP; (2)the input packet consisting 
of the waveforms wl and w2, defined in Subsection 3.2; (3) the terminal time 
» (200000 . 0) ; (4) the delta bound 0. This results in 200001 calls to STEP 

(this number would be even larger if we changed the fourth argument). Each 
of these calls requires a recomputation of the state by reexamining the entire 
input history, which is clearly impractical. The execution of FAST-SIM on 
the same arguments, on the other hand, involves only 18 calls to FAST-STEP, 
each of which requires only updating the state in response to the most recent 
events. The value returned by 

(FAST-SIM (D-FLIP-FLOP) (LIST wl w2) '(200000 . 0) 0) 
is the output packet 

'(((T 86000 . 0) (X 64000 . 0) (F 46000 . 0) 

(X 44000 . 0) (T 26000 . 0) (X 0 . 0)) 

((F 86000 . 0) (X 64000 . 0) (T 46000 . 0) 

(X 44000 . 0) (F 26000 . 0) (X 0 . 0))). 

Note that these waveforms record the behavior of the two output signals 
whose (delayed) values are defined to be those of the state variable ’ Q and 
its negation. It is instructive to compare this result with the trace of » Q given 
in Subsection 3.2. 
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5 Specification 

Let mode and moda be two modules. We shall say that mode is an implemen- 
tation of moda, or equivalently, that moda is a specification of mode, if the 
following relation holds: Given a number d, a time t, and am input packet 
inp for moda wrt d, inp is also an input packet for mode wrt d and (SIM 
moda inp t d) generalizes (SIM mode inp t d). If one module is both an 
implementation and a specification of the other, then we say that the two 
are equivalent. 

This notion of specification is central to our approach to circuit veri- 
fication. Our goal is to characterize the behavior of circuits by deriving 

behavioral modules that are specifications of given structural modules. For 
example, the correctness of our flip-flip implementation D-WITH-NANDS can 
be established by showing that it is an implementation in the above sense of 
the sequential module D-FLIP-FLOP. The proof of this theorem remains to 
be mechanically checked, but we may illustrate it by comparing simulations 
of the two modules on the same input. Thus, when (D-FLIP-FLOP) is re- 
placed with (D-WITH-NANDS) as the first argument in the call to FAST-SIM 
appearing in the previous section, the following output packet is returned: 

’(((T 67000 . 0) (F 46000 . 0) (T 24000 . 0) (X 0 . 0)) 

((F 69000 . 0) (T 44000 . 0) (F 26000 . 0) (X 0 . 0))) 

It is easily seen that this output of the implementation D-WITH-NANDS is 
indeed generalized by that of the specification D-FLIP-FLOP . It is also 
worth noting that this simulation of the implementation involves 35 calls to 
FAST-STEP on D-WITH-NANDS along with 76 calls to STEP on its combinational 
submodules, as compared to only 18 calls to FAST-STEP for D-FLIP-FLOP. 
Thus, there are two distinct benefits of establishing specifications for mod- 
ules: concise behavioral description and efficient simulation. 

In order to facilitate the verification of more complex circuits, we shall 
require the following basic results: 

1. If forme is one of the output forms of a behavioral module mode, forma 
is another form such that the value of forma generalizes the value of 
forme for any assignment of variable values, and moda is the result of 
replacing forme in mode with forma, then mode implements moda. 
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2. If mode implements moda, and structc is the result of replacing an 
occurrence of moda in structa with mode, then structc implements 
atructa. 

3. If modi is a structural module that contains a structural module sub as 
a submodule, and mod2 is the result of “flattening" modi by replacing 
the occurrence of sub with the list of submodules of sub (and recon- 
structing all input and output lists accordingly), then modi and mod2 
are equivalent. 

4. If mode is a behavioral module that has an output with either TRANSPORT 
or INERTIAL delay mode, and moda is the result of changing this delay 
mode to NONDETERMINI STIC , then mode implements moda. 

5. If mode is a behavioral module that has an output with delay range 
(mini . maxi), and moda is the result of replacing that delay range 
with (min2 . max2), where min2 < mini and max2 > maxi, then 
mode implements moda. 

The first of these results is trivial, and its application often amounts 
to mere tautology checking: if a complicated output form may be shown 
to be logically equivalent to a simpler form, then the simpler form may be 
substituted without affecting functionality. 

The second result is significant in that it provides for hierarchical circuit 
analysis: Suppose we wish to analyze a complex structural module that has 
structural components. Once behavioral specifications are derived for the 
components, they may be substituted to yield a specification for the original 
structure, which is a step toward its behavioral specification. 

As applications of the other three results, we have implemented two pro- 
cedures for deriving behavioral specifications (combinational and sequential, 
respectively) for certain classes of structural modules. These are described 
below. 


5.1 Combinational Specifications 

Any structural module mode that (a) is constructed entirely of combina- 
tional components, and (b) contains no loops, may be shown to be an im- 
plementation of some behavioral combinational module moda. The function 
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COMB-REDUCE, after verifying that a given structure mode satisfies these re- 
quirements, automatically generates the appropriate specification moda, con- 
structing its components as follows: 

1. The input signals of moda are the global inputs of mode. 

2. The form for each output is computed by tracing backwards from each 
output, constructing by means of a series of substitutions an expression 
for the output value in terms of inputs alone. 

3. The delay range for each output is determined by the minimum and 
maximum of the total delays along all paths from inputs. 

4. The delay mode for every output is NONDETERMINISTIC. 

The following 1-bit adder, built out of nand gates as shown in Figure 2, 
is an example of a circuit that meets the above requirements: 


(DEFCIRCUIT ADDER1 

(A B C-IN) ; inputs 

(S C-OUT) ; outputs 

( (NAND) (A B) (Tl)) ;il 

((NAND) (A Tl) (T2) ) ;i2 

((NAND) (B Tl) (T3) ) ;i3 

((NAND) (T2 T3) (T4)) ; i4 

((NAND) (C-IN T4) (T5)) ; 15 

((NAND) (C-IN T5) (T7)) ;i6 

((NAND) (T5 T4) (T6)) ;i7 

((NAND) (T5 Tl) (C-OUT)) ;i8 

((NAND) (T7 T6) (S))) ; 19 


The intended behavior of this device may be described in terms of the 
functions M-SUM3 and M-MAJ3, which compute the sum modulo 2 and the 
majority, respectively, of three bits. Assuming that the inputs A, B, and 
C-IN remain stable for a sufficiently long period, the outputs S and C-OUT of 
ADDER1 should eventually stabilize with the values (M-SUM3 A B C-IN) and 
(M-MAJ3 A B C-IN), respectively. 

As a first step toward a verified formalization of this description, we apply 
COMB-REDUCE to ADDER1, computing the following specification: 
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' (COMBINATIONAL 
(A B C-IN) 

((M-NAND (M-NAND C-IN 

(M-NAND C-IN 

(M-NAND (M-NAND A (M-NAND A B)) 

(M-NAND B (M-NAND A B))))) 

(M-NAND (M-NAND C-IN 

(M-NAND (M-NAND A (M-NAND A B)) 

(M-NAND B (M-NAND A B)))) 
(M-NAND (M-NAND A (M-NAND A B)) 

(M-NAND B (M-NAND A B))))) 

(M-NAND (M-NAND C-IN 

(M-NAND (M-NAND A (M-NAND A B)) 

(M-NAND B (M-NAND A B)))) 

(M-NAND A B))) 

(NONDETERMINISTIC NONDETERMINISTIC) 

((4000 . 12000) (4000 . 10000))) 

The two outputs of this module will stabilize after maximum delays of 12000 
and 10000, respectively, assuming stable inputs. Their values, however, are 
given by rather complicated expressions in terms of M-NAND. To complete our 
analysis of ADDER1, we must show that these two expressions are tautolog- 
ically equivalent to the forms (M-SUM A B C-IN) and (M-MAJ3 A B C-IN). 
Once this is done (automatically by the Nqthm prover), we may conclude 
that the following is a specification for ADDER1: 

» (COMBINATIONAL 
(A B C-IN) 

((M-SUM3 A B C-IN) 

(M-MAJ3 A B C-IN)) 

(NONDETERMINISTIC NONDETERMINISTIC) 

((4000 . 12000) (4000 . 10000))) 

5.2 Sequential Specifications 

Our algorithm for deriving a sequential behavioral specification of a struc- 
tural module with sequential components requires that (a) the structure con- 
tains no cycles passing only through combinational components, (b) all global 
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outputs axe expressible as functions of state alone (and not of global inputs), 
(c) all sequential submodules have the same trigger and are connected to the 
same clock input, and (d) the minimum delays of the outputs of the sequen- 
tial components are long enough to respect the hold times of any sequential 
inputs to which they are connected (either directly or through paths con- 
sisting only of combinational components). The function SEQ-REDUCE, after 
verifying that a given structure mode satisfies these requirements, automat- 
ically generates a behavioral specification moda. As a preliminary step, the 
signals of mode and its submodules are all renamed in order to avoid any 
conflicts. The components of moda are then derived as follows: 

1. The input signals of moda are the global inputs of mode. 

2. The trigger of moda is the trigger of the sequential submodules of mode. 

3. The state variables of moda are the state variables of all the sequential 
components of mode. 

4. The state forms of moda are computed by tracing backwards from each 
state variable of mode to sequential outputs and global inputs, and 
constructing by means of a series of substitutions an expression for the 
state variable in terms of state variables and global inputs. 

5. The output forms of moda correspond to the global outputs of mode; 
they are computed by tracing backwards from each global output to se- 
quential outputs and constructing by means of a series of substitutions 
an expression for the output value in terms of state variables alone. 

6. The delay range for each output is determined by the minimum and 
maximum of the total delays along all paths from sequential outputs. 

7. The delay mode of an output is NONDETERMINI STIC unless it is gen- 
erated directly by a sequential component of mode, in which case it 
inherits its mode from that component. 

8. The setup and hold times of each input are computed as the minimum 
times required to respect the setup and hold times of the inputs of the 
sequential components to which they are connected. 


21 


9. The clock period is the maximum of the longest clock period of sequen- 
tial component and the time required for internal signals to stabilize in 
order to respect setup times of sequential inputs. 

As an extremely simple example, we consider the following module, con- 
structed by connecting two D-flip-flops (as illustrated in Figure 3): 

(DEFCIRCUIT DOUBLE-FLIP-FLOP 

(CLK D) ; inputs 

(OUT OUTN) ; outputs 

(CD-FLIP-FLOP) (CLK D) (Q QN)) 

((D-FLIP-FLOP) (CLK Q) (OUT OUTN))) 

SEQ-REDUCE derives the following behavioral specification for this struc- 
ture: 


' (SEQUENTIAL 
(CLK-2 D-2) 

(Q-l (M-NOT Q-1)) 

(INERTIAL INERTIAL) 

((4000 . 6000) 

(4000 . 6000)) 

POSITIVE-EDGE 

(q-o q-1) 

(D -2 q-o) 

12000 

(6000 4000) 

(6000 4000))) 

Note, however, that the structure only barely satisfies the last item in our 
list of preconditions for SEQ-REDUCE, since the minimum output delay of 
D-FLIP-FLOP happens to coincide with the setup time of 4000. That is, if 
the definition of the flip-flop were altered by replacing the lower limit of the 
first delay range by any number smaller than 4000, then DOUBLE-FLIP-FLOP 
would be rejected by SEQ-REDUCE. 

Our final example is a 4- bit loadable shift register composed of nand gates 
and D-flip-flops. We define this structure hierarchically, as shown in Figure 4, 
using a component consisting of three gates and a flip-flop: 


; "type 
; inputs 
; outputs 
; modes 
; delays 

; trigger 
; state variable 
; state form 
; period 
; setups 
; holds 
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(DEFCIRCUIT SHIFTER-COMPONENT 

(CLK INI IN2 IN3 IN4) ; inputs 

(Q) ; outputs 

((NAND) (INI IN2) (SI)) 

((NAND) (IN3 IN4) (S2)) 

((NAND) (SI S2) (D)) 

((D-FLIP-FLOP) (CLK D) (Q QBAR))) 


The register is constructed from four of these components: 
(DEFCIRCUIT SHIFTER 

(CLK LOAD AIN BIN CIN DIN) ; inputs 

(AOUT BOUT COUT DOUT) ; outputs 

((INV) (LOAD) (SHIFT)) 

((SHIFTER-COMPONENT) (CLK DOUT SHIFT AIN LOAD) (AOUT)) 

((SHIFTER-COMPONENT) (CLK AOUT SHIFT BIN LOAD) (BOUT)) 

((SHIFTER-COMPONENT) (CLK BOUT SHIFT CIN LOAD) (COUT)) 

((SHIFTER-COMPONENT) (CLK COUT SHIFT DIN LOAD) (DOUT))) 


The following behavioral specification is generated by SEQ-REDUCE: 


> (SEQUENTIAL 

(CLK- 5 LOAD-5 AIN-5 BIN-5 CIN-5 DIN-5) 
(Q-3-1 Q-3-2 Q-3-3 Q-3-4) 

(INERTIAL INERTIAL INERTIAL INERTIAL) 
((4000 . 6000) (4000 . 6000) 

(4000 . 6000) (4000 . 6000)) 
POSITIVE-EDGE 
(Q-3-1 Q-3-2 Q-3-3 q-3-4) 

((M-NAND (M-NAND Q-3-4 (M-NOT LOAD-5)) 
(M-NAND AIN-5 LOAD-5)) 

(M-NAND (M-NAND Q-3-1 (M-NOT LOAD-5)) 
(M-NAND BIN-5 LOAD-5)) 

(M-NAND (M-NAND Q-3-2 (M-NOT LOAD-5)) 
(M-NAND CIN-5 LOAD-5)) 

(M-NAND (M-NAND Q-3-3 (M-NOT LOAD-5)) 
(M-NAND DIN-5 LOAD-5))) 


; inputs 
; outputs 
; modes 
; delays 

; trigger 

; state variables 
; state forms 
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14000 

(6000 10000 8000 8000 8000 8000 ) 
(6000 00000 )) 


; period 
; setups 
; holds 


This sequential module has four state variables and four matching outputs, 
corresponding to the four flip-flops. It also has four “data” inputs, along 
with a clock and a “load” input. On each cycle, a new state is computed as 
follows: if the load is high, then each state variable assumes the value of the 
corresponding input; if the load is low, then the values of the state variables 
are rotated. Although this behavior may be difficult to ascertain from the 
state forms shown above, it becomes clear once the following tautology is 
noted: 

(EqUAL (M-NAND (M-NAND Q (M-NDT LOAD)) 

(M-NAND A LOAD)) 

(M-0R (M-AND LOAD A) 

(M-AND (M-N0T LOAD) Q))) . 

This is our only example of a sequential module with a minimum clock pe- 
riod ( 14000 ) that exceeds the sum of the clock setup and hold times ( 12000 ). 
The reason for this is that a signal that is sent from one flip-flop to another 
must arrive sufficiently in advance of a triggering edge to respect the receiver s 
setup time. Thus, the time elapsed from one positive edge to the next must 
be at least the sum of the maximum delay of the sent signal ( 6000 ), the delay 
along the path to the receiver ( 4000 ), and the setup time of the receiver s 
input ( 4000 ). 

It is also worth noting that the hold times for all but the clock input are 
0. The reason for this is that the delay along every path from an input to a 
flip-flop is at least as long as the flip-flop’s hold time. 


6 Future Work 

The HDL that we have described is sufficiently expressive for the modeling 
of both synchronous and asynchronous devices. Thus far, however, we have 
only outlined a methodology for specifying and verifying combinational and 
synchronous circuits designed in this language. Many of the theorems on 
which this methodology is based remain to be formalized and mechanically 
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checked. Once this body of theorems is established, our next goal will be to 
extend the theory to the asynchronous realm. This effort will be driven by the 
design of a circuit that achieves communication between two asynchronous 
processors according to a version of the protocol that was formalized in [7]. 
The formal specification and verification of this design will be delivered with 
the report on Task 5. 
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Appendix 


. *«++**++++**+**+**********+*+** ********** ****************************** 

; ; WAVEFORMS 

- • **********************+********************************** ************* 

;;A moment in time is a pair o f numbers; 

(deln timep (x) 

(and (liatp x) 

(numberp (car x)) 

(numberp (cdr x)))) 

(deln zero-time () 

* (0 . 0 )) 

“Moments in time are ordered lexicographically: 

(deln tlesep (a b) 

(il (equal (car a) (car b)) 

(leeap (cdr a) (cdr b)) 

(leaap (car a) (car b)))) 

(deln tleq (a b) 

(not (tleasp b a))) 

“Events are scheduled at times that are computed Irom the current time 

“and propagation delays as follows: 

(deln tplua (to delay) 

(il (zerop delay) 

(cona (car tO) (addl (cdr tO))) 

(cona (plus (car tO) delay) 0))) 


;;A waveform ia an alist that associates signal values with the times 
;;at which they are assumed by the signal: 
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(defn waveformp (w) 

(if (listp w) 

(if (liatp (cdr w)) 

(and (waveformp (cdr w)) 

(timep (cdar w)) 

(tlessp (cdadr w) (cdar w)) 

(not (equal (caadr w) (caar w)))) 

(equal (cdar w) (zero-time))) 

D) 

;;A packet ia a list of waveforms: 

(defn packetp (1 n) 

(if (zerop n) 

(nlistp 1) 

(and (listp 1) 

(waveformp (car 1)) 

(packetp (cdr 1) (subl n))))) 

;;The value of a aignal at a given time is computed from its waveform 
;;as follows: 

(defn wave-value (wave time) 

(if (liatp wave) 

(if (tlessp time (cdar wave)) 

(wave-value (cdr wave) time) 

(caar wave)) 

f)) 

(defn packet-values (packet time) 

(if (liatp packet) 

(cons (wave-value (car packet) time) 

(packet-values (cdr packet) time)) 

())) 

; ;To compute the final value of a waveform: 

(defn last-value (w) 

(caar w)) 

(defn last-values (p) 

(if (liatp p) 

(cons (last-value (car p)) 
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(last-values (cdr p))) 


())) 

• j There is no restriction on the valuta that may be assumed by a signal. 

; I The value 'X, however, is special — it represents an unknown value. 

• • itiy other value ie "definite", A waveform is definite it never assumes 
; ; the value ’ X : 

(defn defvalp (v) 

(not (equal v ’x))) 

(defn defwavep (w) 

(if (listp w) 

(and (defvalp (caar w)) 

(defwavep (cdr w))) 

t)) 

;;A value vl generalizes v2 if vl is either v2 or 'X. A wave wl 
;; generalizes a wave w2 if at all times, the value of wl generalizes the 
;; value of w2: 

(defn genvalp (vl v2) 

(or (equal vl v2) (equal vl ’x))) 

(defn genwavep (wl w2) 

(if (and (listp wl) (listp w2)) 

(and (genvalp (caar wl) (caar w2)) 

(if (tlessp (cdar w2) (cdar wl)) 

(genwavep (cdr wl) w2) 

(if (tlessp (cdar wl) (cdar w2)) 

(genwavep wl (cdr w2)) 

(or (equal (cdar wl) (zero-time)) 

(genwavep (cdr wl) (cdr w2)))))) 

f) 

((lessp (plus (count wl) (count w2))))) 

(defn genpacketp (pi p2) 

(if (listp pi) 

(and (genwavep (car pi) (car p2)) 

(genpacketp (cdr pi) (cdr p2))) 

(nlistp p2) ) ) 

;; Histories and futures: 
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(defa wave-history (wave time) 

(if (liatp wave) 

(if (tlessp time (cdar wave)) 

(wave-history (cdr wave) time) 
wave) 
wave)) 

(defa packet-history (packet time) 

(if (liatp packet) 

(cona (wave-history (car packet) time) 

(packet -history (cdr packet) time)) 

())) 

(defa packet-histories (packets to) 

(if (listp packets) 

(cons (packet-history (car packets) tO) 

(packet-histories (cdr packets) tO)) 

())) 

(defa wave-future (wave time) 

(if (listp wave) 

(if (tlessp time (cdar wave)) 

(cons (car wave) (wave-future (cdr wave) time)) 

(if (tlessp (cdar wave) time) 

(list (cons (caar wave) time)) 

(list (car wave)))) 

wave)) 

(defa packet-future (packet time) 

(if (listp packet) 

(cons (wave-future (car packet) time) 

(packet-future (cdr packet) time)) 

())) 

;;To determine whether some waveform of a packet aquires a new value 
;;at a given time: 

(defa new-value-p (wave time) 

(if (listp wave) 

(if (tlessp time (cdar wave)) 

(new-value-p (cdr wave) time) 

(equal time (cdar wave))) 
f)) 
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(dein some-new-value-p (packet time) 

(if (listp packet) 

(or (new-value-p (car packet) time) 

(some-new-value-p (cdr packet) time)) 


*)) 


j » *********************************************************************** 

; ; PROPAGATION 

j*j **************************************** ******************************* 

;;The following two functions implement “transport" and “inertial" 

;; delay, as defined in the VHDL standard. They may be used to schedule 
; ;a transaction with value V at time T1 on a waveform W, assuming that V 
; ;and all values of W are definite, and that T1 exceeds the current time 

(defn post-transport-event -definite (w v tl) 

(if (listp w) 

(if (tlessp (cdar w) tl) 

(if (equal (caar w) v) 

w 

(cons (cons v tl) w)) 

(post-transport-event-def inite (cdr w) v tl)) 

i» 

(defn post-inertial-event-def inite (w v tO tl) 

(if (listp w) 

(if (tlessp to (cdar w)) 

(if (and (tlessp (cdar w) tl) (equal v (caar w))) 

(post-inertial-event-definite (cdr w) v tO (cdar w)) 
(post-inertial-event-definite (cdr w) v tO tl)) 

(if (equal v (caar w)) 

w 

(cons (cons v tl) w))) 

f)) 

;;In the presence of indefinite values, we use the following more 
;; general functions. Instead of fixed delays, we allow delay ranges: 

; ; we assume that the time of the event is at most T2 and (if Tl 
;; precedes T2) at least Tl, where T12 and T2 both exceed TO: 

(defn post-transport-event (w v tO tl t2) 

(if (listp w) 
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(if (tlessp tO (cdar w)) 

(if (tlessp (cdar w) t2) 

(if (equal v (caar w)) 

(post-transport-event (cdr w) v tO tl (cdar w)) 

(if (tlessp tl t2) 

(if (tlessp tl (cdar w)) 

(if (listp (cdr *)) 

(if (equal v (caadr e)) 

(if (equal v 'x) 

(cdr w) 

(cons (cons v t2) 

(cons (cons 'x (cdar w)) 

(post-transport-event 
(cddr w) v tO 
tl (cdadr e))))) 

(post-transport-event (cdr *) v tO tl t2)) 
f) 

(if (tlessp (cdar e) tl) 

(if (equal (caar *) *x) 

(cons (cons v t2) e) 

(if (equal v 'x) 

(cons (cons 'x tl) w) 

(cons (cons v t2) (cons (cons 'x tl) w)))) 
(if (listp (cdr «)) 

(if (equal (caadr s) *x) 

(cons (cons v t2) (cdr w)) 

(if (equal v *x) 

(cons (cons # x tl) e) 

(cons (cons v t2) 

(cons (cons 'x tl) (cdr w))))) 

f))) 

(cons (cons v t2) »))) 

(post-transport-event (cdr w) v tO tl t2)) 

(if (equal (caar w) v) 

w 

(if (equal (caar w) *x) 

(cons (cons v t2) w) 

(if (tlessp tl t2) 

(if (equal v ’x) 

(cons (cons *x tl) w) 

(cons (cons v t2) (cons (cons *x tl) e))) 

(cons (cons v t2) w))))) 
f)) 


33 



(defn post-inertial-event (» v tfl tl t2) 

(if (listp a) 

(if (tlessp tO (cdar a)) 

(if (tlaasp (cdar a) t2) 

(if (equal v (caar a)) 

(post- inertial-event (cdr a) v tO tl (cdar a)) 

(if (and (tlaasp (cdar a) tl) 

(or (equal (caar a) ’x) 

(and (equal v ' x) 

(not (equal (caar a) (cdadr a)))))) 
(post-inertial-event (cdr a) v tO (cdar a) t2) 
(poat-inertial-event (cdr a) v tO tl t2))) 
(post-inertial-event (cdr a) v tO tl t2)) 

(if (equal (caar w) v) 
a 

(if (equal (caar a) 'x) 

(cons (cons v t2) a) 

(if (tlessp tl t2) 

(if (equal v ’x) 

(cons (cons 'x tl) a) 

(cons (cons v t2) (cons (cons ’x tl) a))) 

(cons (cons v t2) a))))) 

f)) 

; ; Ve also provide a third delay mode, NONDETERMINISTIC, ahich generalizes 
; ;both TRAISPORT and IHERTIAL: 

(defn post-nondetorainistic-event (a v tO tl t2) 

(if (listp a) 

(if (tlessp tO (cdar a)) 

(if (tlessp (cdar a) tl) 

(if (listp (cdr a)) 

(if (equal (caar a) (caadr a)) 

(post-aondeterminiatic-event (cdr a) v tO tl t2) 
(post-nondeterministic-event 
(cdr a) v tO (cdar a) t2)) 
f) 

(post-nondeterministic-event (cdr a) v tO tl t2)) 

(if (or (equal (caar a) *x) (tleq t2 tl)) 

(if (equal (caar a) v) 
a 

(cons (cons v t2) a)) 

(if (equal v ’x) 

(cons (cons ’x tl) a) 
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(cons (cons v t2) (cons (cons *x tl) h))))) 


t )) 


9 $ ♦♦ ********* ******** ********* * ****** **tt*4i 

; ; MODULES 

; ;+*+++++***+++*++**+*+**++*++++++++++++ 4l +++++++4 l +++++^i t +t++mm l¥l¥ *m 

(deln type (mod) 

;a litatora 
(car mod)) 

(disable type) 

;Ve shall implement three module types, COMBINATIONAL, SEQUENTIAL, and 

;; STRUCTURAL . Combinational and sequential modules are called BEHAVIORAL. 

(deln combinationalp (mod) 

(equal (type mod) 9 combinational) ) 

(deln sequentialp (mod) 

(equal (type mod) > sequential)) 

(deln behavioralp (mod) 

(or (combinationalp mod) (sequentialp mod))) 

(deln structuralp (mod) 

(equal (type mod) 1 structural) ) 


;; Associated with any module are lists ol inputs and outputs: 


(deln inputs (mod) 

(cadr mod)) 

(disable inputs) 

(deln outputs (mod) 

(caddr mod)) 

(disable outputs) 

(deln number-ol-inputs (mod) 
(length (inputs mod))) 
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(dels number-of-outputs (mod) 

(length (outputs nod))) 

;; Module behavior will be characterized by a "step" function of 4 
;; arguments : (1) a module, (2) an input packet, (3) an output packet, 
;;and (4) a time. The value returned is the result of updating the 
;;output packet by executing any events in the input packet that occur 
;;at the given time. This function will be required to exhibit the 
;;following live properties (although I don't know why I care about 
;;the last two): 


;; (1) Monotonic: 

;; (IMPLIES (AMD (PACKETP INP1 (NUMBER-OF- INPUTS mod)) 

;; (PACKETP IMP2 (MUMBER-OF- INPUTS mod)) 

;; (GENPACKETP INP1 IIP2) 

;; (PACKETP OUT 1 (NUMBER-OF-OUTPUTS mod)) 

;; (PACKETP 0UT2 (NUMBER-OF-OUTPUTS mod)) 

; ; (GENPACKETP 0UTP1 0UTP2) 

;; (TIMEP TO)) 

;; (GENPACKETP (STEP mod INP1 OUTPi TO) 

;; (STEP mod INP2 0UTP2 TO))) 


;; (2) Nonpredictive : 


(IMPLIES (AND (PACKETP INP1 (NUMBER-OF- INPUTS mod)) 
(PACKETP INP2 (NUMBER-OF-INPUTS mod)) 
(EQUAL (PACKET-HISTORY INP1 TO) 
(PACKET-HISTORY INP2 TO)) 
(PACKETP OUT (NUMBER-OF-OUTPUTS mod)) 
(TIMEP TO)) 

(EqUAL (STEP mod INP1 OUTP TO) 

(STEP mod INP2 OUTP TO))) 


;;For combinational modules, Property (2) may be strengthened as follows: 


(IMPLIES (AND (PACKETP INP1 (NUMBER-OF-INPUTS mod)) 
.. (PACKETP INP2 (NUMBER-OF-INPUTS mod)) 
(EqUAL (PACKET- VALUES INP1 TO) 
(PACKET-VALUES INP2 TO)) 
(PACKETP OUT (NUMBER-OF-OUTPUTS mod)) 
(TIMEP TO)) 

(EqUAL (STEP mod INP1 OUTP TO) 
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(STEP mod IIP2 OUTP TO))) 


;; (3) lonratroactive : 

;; (IMPLIES (AMD (PACKETP IHP (NUMBER-OF-INPUTS mod)) 

;; (PACKETP OUT (HUKBER-OF-OUTPUTS mod)) 

;; (TIMEP TO)) 

: ; (EQUAL (PACKET-HISTORY (STEP mod IIP OUTP TO) TO) 

;; (PACKET-HISTORY OUTP TO)) 

;; (4) lonretrospactive: 

;; (IMPLIES (AID (PACKETP IIP (IUMBER-OF-IIPUTS mod)) 

;; (PACKETP 0UT1 (IUMBER-OF-OUTPUTS mod)) 

;; (PACKETP 0UT2 (IUMBER-OF-OUTPUTS mod)) 

;; (EQUAL (PACKET-FUTURE OUTP1 TO) 

;; (PACKET-FUTURE 0UTP2 TO)) 

;; (TIMEP TO)) 

; ; (EQUAL (PACKET-FUTURE (STEP mod IIP OUTP1 TO) TO) 

;; (PACKET-FUTURE (STEP mod IHP 0UTP2 TO) TO))) 

;; (S) Idsmpotent : 

;; (IMPLIES (AID (PACKETP IIP (IUMBER-OF-IIPUTS mod)) 

;; (PACKETP OUT (IUMBER-OF-OUTPUTS mod)) 

;; (TIMEP TO)) 

; ; (EQUAL (STEP mod INP (STEP mod IIP OUTP TO) TO) 

;; (STEP mod IIP OUTP TO)) 

; ft********************** ******+*******+*********************+*******+*** 

i ; COMBINATIONAL MODULES 

• ;+*+*****+*+****************♦******************+*************++********+ 


;; Associated with each output of a behavioral module is a delay mode, 
; ; which may be INERTIAL, TRANSPORT, or NONDETERMINI STIC, and a delay 
; ; range : 

(defn modes (mod) 

;a list of litatoms 
(cadddr mod)) 

(disable modes) 

(defn delays (mod) 
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,a list of pairs of numbers, (MIN , MAX), corresponding to outputs. 

, If MAX is NIL (more generally, if MAX does not exceed MIN), then MIN 
; is used for both extremes. 

(caddddr mod)) 

(disable delays) 

(defn oin-delay (pair) (car pair)) 

(defn max-delay (pair) 

(max (car pair) (cdr pair))) 

(defn post-event (w v tO mode tl t2) 

(case mode 

(transport (post-transport-event w v tO tl t2)) 

(inertial (post-inertial-event w v tO tl t2)) 

(nondet erministic (post-nondeterministic-event w v tO tl t 2 )) 
(otherwise (post-inertial-event w v to tl t2)))) 

(defn post-events (packet values to modes delays) 

(if (listp packet) 

(cons (post-event (car packet) 

(car values) 
tO 

(car modes) 

( t plus tO (min-delay (car delays))) 

(tplus tO (max-delay (car delays)))) 

(post-events (cdr packet) 

(cdr values) 
to 

(cdr modes) 

(cdr delays) ) ) 

())) 

(defn combinational-step (mod inp outp time) 

(post-events outp 

(eval$ 'list 

(outputs mod) 

(pairlist (inputs mod) (packet-values inp time))) 

time 

(modes mod) 

(delays mod))) 


; ; Some gates ; 
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(defn m-and (a b) 

(if (equal a >1) *t 
(if (equal b *f) *t 

(if (and (equal a 't) (equal b *t)) 't 
'x)))) 

(defn m-or (a b) 

(if (equal a *t) 't 
(if (equal b ’t) 't 

(if (and (equal a J f ) (equal b 'f)) *f 
’x)))) 

(defn m-not (a) 

(if (equal a *t) 'f 
(if (equal a > t) *t 
'x))) 

(defn m-nand (a b) 

(m-not (ra-and a b))) 

(defn m-and3 (a b c) | 

(if (equal a *f) 

(if (equal b l t) *1 
(if (equal c 'f) 'f 

(if (and (equal a 't) (equal b ’t) (equal c >t)) ’t 
'x))))) 

(defn m-nand3 (a b c) 

(n-not (m-and3 a b c))) 

(defn inv () 

' (combinational ; type 

(a) ; inputs 

((m-not a)) ; outputs 

(inertial) ; modes 

(( 2000 )))) 


(defn nand () 

* (combinational ;type 
(a b) ; inputs 

((m-nand a b)) ; outputs 
(inertial) ; modes 
((2000)))) ; delays 
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(de£n nand3 () 

1 (combinational ; typo 
(a b c) ; inputs 

((m~nand a b c)) ; outputs 

(inertial) ; modes 

((2000)) )) ; delays 


j j *********************************************************************** 

; ; SEQUENTIAL MODULES 

; ; *********************************************************************** 

;;A sequential module has (along with INPUTS, OUTPUTS, MODES, and DELAYS) 
;;aix additional components: 

(dein trigger (mod) 

; either POSITIVE-EDGE or NEGATIVE-EDGE 
(cadddddr mod)) 

(deln locals (mod) 

;a list ol litatoms (internal state variables) from which output lorms 
;are constructed (rather than from input variables) 

(caddddddr mod)) 

(disable locals) 

(deln state (mod) 

;a list ol lorms (lor computing local values), which may involve locals 
;and input variables 
(cadddddddr mod)) 

(disable state) 

(deln period (mod) 

;a number 
(caddddddddr mod)) 

(disable period) 

(deln setups (mod) 

;a list ol numbers 
(cadddddddddr mod)) 


40 


(disable setups) 

(defn bolds (mod) 

;a list of numbers 
(caddddddddddr mod)) 

(disable holds) 

;;A positive-edge-triggered device: 


(defn d-f lip-flop () 

’ (sequential 

• type 

(elk d) 

; inputs 

(q (m-not q)) 

; outputs 

(inertial inertial) 

; modes 

((4000 . 6000) 

; delays 

(4000 . 6000)) 

positive-edge 

; trigger 

Cq) 

; locals 

(d) 

; state 

12000 

; period 

(6000 4000) 

; setups 

(6000 4000))) 

; holds 


(defn ncopies (n x) 

(if (zerop n) 

0 

(cons x (ncopies (subl n) x)))) 

(defn kill-state (mod) 

(ncopies (length (locals mod)) , x)) 

(defn next-state (state inputs mod) 

(evall J list 

(state mod) 

(append (pairlist (locals mod) state) 

(pairlist (cdr (inputs mod)) inputs)))) 

(defn check-clock-setup-or-hold (w time) 

(and (equal (caadr w) (m-not (caar v))) 

(tleq (tplus (cdadr w) time) (cdar e)))) 

(defn check-data-setups (inp time setups) 

(if (listp inp) 
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(and (not (equal (last-value (car inp)) 'x)) 

(tleq (tplus (cdaar inp) (car setups)) time) 
(check-data-setups (cdr inp) time (cdr setups))) 

*)) 

(d eln check-period (w period) 

(and (equal (caaddr w) (caar w)) 

(tleq (tplus (cdaddr w) period) (cdar w)))) 

(defn check-data-holds (inp edge time holds) 

(il (listp inp) 

(and (or (not (new-value-p (car inp) time)) 

(tleq (tplus edge (car holds)) time)) 

( check-data-holds (cdr inp) edge time (cdr holds))) 

t)) 

(dein last-time (p) 

(il (listp p) 

(il (tlessp (last-time (cdr p)) (cdaar p)) 

(cdaar p) 

(last-time (cdr p))) 

(zero-time)) ) 

(deln strip-events (p time) 

(il (listp p) 

(il (equal time (cdaar p)) 

(cons (cdar p) (strip-events (cdr p) time)) 

(cons (car p) (strip-events (cdr p) time))) 

P» 

(prove-lemma leq-count-strip-events (rewrite) 

(not (lessp (count p) (count (strip-events p time))))) 

(prove-lemma lessp-count-strip-events (rewrite) 

(implies (and (packetp p n) (not (equal (last-time p) (zero-time)))) 
(lessp (count (strip-events p (last-time p))) 

(count p)))) 

(disable strip-events) 

(disable last-time) 

(deln compute-state (mod inp trigger) 

(il (packetp inp (length inp)) 


42 



(l»t ((tin* (last-time inp))) 

(ii (equal time (zero-time)) 

(kill-state mod) 

(if (equal (cdar (car inp)) time) 

(il (equal (caar (car iup)) trigger) 

(if (and (check-clock-setup-or-hold 

(car inp) (car (setups mod))) 

( check-dat a-s etups 

(cdr inp) time (cdr (setups mod))) 
(check-period (car inp) (period mod))) 

(next-state (compute— state mod 

(strip- events inp time) 

trigger) 

(last-values (cdr inp)) 
mod) 

(kill-state mod)) 

(if (and (equal (caar (car inp)) (m-not trigger)) 

(check-clock-setup-or-hold 

(car inp) (car (holds mod)))) 

(compute-state mod (strip-events inp time) trigger) 
(kill-state mod))) 

(if (and (equal (cdar (car inp)) trigger) 

(not (check-data-holds 

(cdr inp) (cdar (car inp)) 
time (cdr (holds mod))))) 

(kill-state mod) . ... 

(compute-state mod (strip-events inp time) trigger);;;; 

f) 

((leasp (count inp)))) 

(enable strip-events) 

(enable last-time) 

(defn sequential-state (mod inp) 

(case (trigger mod) 

(positive-edge (compute- state mod inp 't)j 
(negative- edge (compute-state mod inp ’f)) 

(otherwise (compute-state mod inp ’t)))) 

(defn sequential-step (mod inp outp time) 

(post-events 

outp 

(eval$ ’list 
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(outputs mod) 

(pairlist (locals mod) 

(sequential-state mod (packet-history inp time)))) 

time 

(modes mod) 

(delays mod))) 

(defn behavioral-step (mod inp outp time) 

(case (type mod) 

(combinational (combinational-step mod inp outp time)) 

(sequential (sequential-step mod inp outp time)) 

(otherwise 1))) 


* . *****#**+*+*+************★***+******+*+****+************************ 

j j STRUCTURAL MODULES 

* • *****************+++ ************************ ************************ 

;;Structural modules are built recursively out of submodules. A 
;; structural module has 5 components: 

;(defn inputs (mod) 

; ;a list of litatoms 
; (cadr mod)) 

;(defn outputs (mod) 

; ;a list of litatoms 
; (caddr mod)) 

(defn submodules (mod) 

;a list of modules 
(cadddr mod)) 

(disable submodules) 

(defn subinputs (mod) 

;a list of lists of litatoms 
(caddddr mod)) 

(disable subinputs) 

(defn suboutputs (mod) 

;a list of lists of litatoms 
(cadddddr mod)) 
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(disable suboutput a) 


(defn unionl (1) 

( if (liatp 1) 

(union (car 1) (unionl (cdr 1))) 

())) 

(defn signals (mod) 

(unionl (cons (inputs mod) (suboutputs mod)))) 

(defn lookup (kay keys list) 

(i f (listp keys) 

(if (equal key (car keys)) 

(car list) 

(lookup key (cdr keys) (cdr list))) 
f)) 

(dein f ind-list (key lists) 

(i f (listp lists) 

(ii (member key (car lists)) 

(car lists) 

(find-list key (cdr lists))) 

f)) 

(defn find-outputs (out mod) 

(find-list out (suboutputs mod))) 

(defn lookup-list (key keys list) 

(if (listp keys) 

(if (member key (car keys)) 

(car list) 

(lookup-list key (cdr keys) (cdr list))) 
f)) 

(defn find-submodule (out mod) 

(lookup-list out (suboutputs mod) (submodules mod))) 

(defn find- inputs (out mod) 

(lookup-list out (suboutputs mod) (subinputs mod))) 

(defn find-delay (out mod) 

(lookup out (find-outputs out mod) (delays (find- submodule out mod)))) 
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(defn find-mod* (out mod) 

(lookup out (find-outputs out mod) (modes (find -submodule out mod)))) 

;;Th* following macro is given for convenience in defining structural 
;;modulee: 

(defmacro defcircuit (name inputs outputs Arest occurrences) 

'(defn ,nam* () 

' (structural , * , inputs , 9 .outputs 

, .'(list ,<D(mapcar # , first occurrences)) 

, 1 , (mapcar #' second occurrences) 

^.(mapcar #'third occurrences)))) 

; ;As an example, we build a D-flip-flop out of nand gates: 

(defcircuit d-with-nands 
(elk d) ; inputs 
(q qn) ; outputs 
((nand) (b2 bl) (al)) 

((nand) (al elk) (bl)) 

((nand3) (bl elk b2) (a2)) 

((nand) (a2 d) (b2)) 

((nand) (bl qn) (q)) 

((nand) (q a2) (qn))) 

;;tf* define two predicates that must be satisfied by any structural 
;;module. The first of these, SYHTAX-OK, checks that all list have 
; ; appropriate lengths, etc.: 

(defn match-inputs (subins subs) 

(if (listp subs) 

(and (listp subins) 

(equal (length (car subins)) (number-of- inputs (car subs))) 
(match-inputs (edr subins) (edr subs))) 

t)) 

(defn match-outputs (subouta subs) 

(if (listp subs) 

(and (equal (length (car subouts)) (number-of -outputs (car subs))) 
(match- out puts (edr subouts) (edr subs))) 
t)) 

(defn appears (x 1) 

(if (listp 1) 
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(or (member x (car 1)) 

(appears x (cdr 1))) 

*)> 

(d eln all-appear (1 m) 

(i 1 (listp 1) 

(and (appears (car 1) m) 

(all-appear (cdr 1) m)) 
t)) 

(deln lists-all-appear (Is m) 

(il (listp Is) 

(and (all-appear (car Is) m) 

(lists-all-appear (cdr Is) m)) 
t)) 

(deln none-appear (1 ra) 

(il (listp 1) 

(and (not (appears (car 1) ra)) 
(none-appear (cdr 1) m)) 

t)) 


(deln distinct-symbols (1) 

(il (listp 1) 

(and (litatom (car 1)) 

(not (member (car 1) (cdr 1))) 

(distinct-symbols (cdr 1))) 

t)) 

(deln all-distinct-symbols (Is) 

(il (listp Is) 

(and (distinct-symbols (car Is)) 

(none-appear (car Is) (cdr Is)) 

(all-distinct-symbols (cdr Is))) 
t)) 

(deln syntax-ok (mod) 

(and (equal (length (subinputs mod)) (length (submodules mod))) 
(match-inputs (subinputs mod) (submodules mod)) 

(equal (length (suboutputs mod)) (length (submodules mod))) 
(match- out puts (suboutputs mod) (submodules mod)) 
(all-appear (outputs mod) (suboutputs mod)) 
(lists-all-appear 

(subinputs mod) (cons (inputs mod) (suboutputs mod))) 
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(all-distinct-symbols (cons (inputs mod) (suboutputs mod))))) 

;;The other predicate that must be satisfied by any structural module, 
;; DELTA- ACYCLIC, checks for cyclic 0-delay paths. It is defined in 
;;terms of an important auxiliary function, DLEVEL$: 

(defn delete (x 1) 

(if (listp 1) 

(if (equal x (car 1)) 

(cdr 1) 

(cons (car 1) (delete x (cdr 1)))) 

D) 

(defn subbagp (1 m) 

(if (listp 1) 

(and (member (car 1) m) 

(subbagp (cdr 1) (delete (car 1) m))) 
t)) 

(defn subsetp (1 m) 

(if (listp 1) 

(and (member (car 1) m) 

(subsetp (cdr 1) m)) 

t)) 

(prove-lemma length-delete (rewrite) 

(implies (member x 1) 

(equal (length (delete x 1)) 

(subl (length 1))))) 

(prove-lemma member-delete (rewrite) 

(implies (and (member x 1) 

(not (equal x y))) 

(member x (delete y 1)))) 

(prove-lemma lessp-length-subbagp () 

(implies (and (subbagp 1 m) 

(member x m) 

(not (member x 1))) 

(lessp (length 1) (length m)))) 

(prove-lemma subsetp-delete (rewrite) 

(implies (and (subsetp 1 m) 

(not (member x 1))) 
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(subsetp 1 (delete x m)))) 


(prove-lemma subsetp- subbagp (rewrite) 

(implies (and (distinct-symbols 1) 

(subsetp 1 m)) 

(subbagp 1 m)) 

((induct (subbagp 1 m)))) 

(prove-lemma lessp-length-subset (rewrite) 

(implies (and (subsetp 1 m) 

(distinct-symbols 1) 

(member x m) 

(not (member x 1))) 

(lessp (length 1) (length m))) 

((use (lessp-length-subbagp)))) 

(dein fmax (x y) 

;the maximum of x and y, with F treated as infinite 
(if (and x y) 

(max x y) 
f)) 

(defn select-deltas (delays env) 

(if (listp delays) 

(if (zerop (min-delay (car delays))) 

(cons (car env) (select-deltas (cdr delays) (cdr env))) 
(select-deltas (cdr delays) (cdr env))) 

())) 

(prove-lemma lessp-count-submodules-mod (rewrite) 

(implies (structuralp mod) 

(equal (lessp (count (submodules mod)) (count mod)) t)) 
((enable submodules type))) 

;;5uppose II in a signal of a structural module MOD, EIV is a list of 
; ; length (HUMBER-OF-OUTPUTS MOD), and BAD is a list of signals of MOD. 
;; Assume that for each i < (NUMBER- OF- OUTPUTS MOD), the ith member of 
;;EJV is the length of the longest 0-delay path starting at the ith 
; ; member of (OUTPUTS MOD) and leading outward. Assume further that 
; ; there is an infinite (i.e., cyclic) 0-delay path starting at each BAD 
;; signal. Then (DLEVELI 0 IN MOD ENV BAD) is the length of the longe.it 
;; 0-delay path starting at IN: 

(defn lookup-all (x 1 m) 
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(i i (liatp 1) 

( ii (equal x (car 1)) 

(cons (car m) (lookup-all x (cdr 1) (cdr in))) 
(lookup-all x (cdr 1) (cdr m))) 

■)) 

(dein lookup- input a (x 1 m) 

(ii (liatp 1) 

(cona (lookup-all x (car 1) (inputs (car m))) 

(lookup- inputs x (cdr 1) (cdr m))) 

m)) 

(dein fmaxl (1) 

(ii (liatp 1) 

(imax (car 1) (imaxl (cdr 1))) 

0 )) 

(dein imaxll (1) 

(ii (listp 1) 

(imax (imaxl (car 1)) (imaxll (cdr 1))) 

0 )) 

(dein iaddl (n) 

(ii n (add! n) i)) 

(dein faddll (1) 

(ii (liatp 1) 

(cona (iaddl (car 1)) (faddll (cdr 1))) 

())) 

(dein dlevel$ (mode in mod env bad) 

(case mode 

(0 (ii (structuralp mod) 

(ii (and (not (member in bad)) 

(equal (length (suboutputs mod)) 

(length (submodules mod))) 

(member in (signals mod)) 
(distinct-symbols bad) 

(subsetp bad (signals mod))) 

(imaxll (cons (lookup-all in (outputs mod) env) 
(dlevel$ 

3 

(lookup- inputs in 

(subinputs mod) 
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(submodules mod)) 
(submodules mod) 

(dlevelS 2 (suboutputs mod) mod env 
(cons in bad)) 

()))) 


f) 

(fmaxl (faddll (select-deltas (delays mod) 
(1 (if (listp in) 

(cons (dlevel$ 0 (car in) mod env bad) 
(dlevelS 1 (cdr in) mod env bad)) 

())) 


(2 (if (listp in) 

(cons (dlevelS 1 
(dlevel$ 2 


(car in) mod env bad) 
(cdr in) mod env bad)) 


env) ) ) ) ) 


())) 

(3 (if (listp mod) 

(cons (dlevel$ 1 (car in) 
(dlevel$ 3 (cdr in) 


(car mod) (car env) bad) 
(cdr mod) (cdr env) bad)) 


())) 

(otherwise f)) 

((ord-lessp (lex (list (count mod) 

(difference (length (signals mod)) (length bad)) 
(count in)))))) 


(defn delta-acyclic (mod) 

; determines whether there is any cyclic 0-delay path within MOD 
(fmaxll (dlevelS 2 

(suboutputs mod) 
mod 

(ncopias (number- of -outputs mod) 0) 

()))) 

(defn modulepS (flag mod) 

(if (equal flag 'list) 

(if (listp mod) 

(and (modulepS t (car mod)) 

(modulepS 'list (cdr mod))) 
t) 

(case (type mod) 

(structural 

(and (syntax-ok mod) 

(delta-acyclic mod) 

(modulepS 'list (submodules mod)))) 

(combinational 
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(and (equal (length (delays mod)) (length (outputs mod))) 
(equal (length (modes mod)) (length (outputs mod))))) 
(sequential 

(and (equal (length (delays mod)) (length (outputs mod))) 
(equal (length (modes mod)) (length (outputs mod))) 
(equal (length (state mod)) (length (locals mod))) 
(equal (length (holds mod)) (length (inputs mod))) 
(equal (length (setups mod)) (length (inputs mod))))) 
(otherwise f))) ) 

(defn modulep (mod) 

(modulep! t mod)) 

; ;tfe shall define a step function for structural modules. Instead 
;;of an output packet, the object on which this function operates 
;;(its third argument and its value) is an output "bundle”, which 
;; consists of a packet corresponding to each behavioral component. 

;; First, we extract from a wave bundle the packet corresponding 
;;to a module's output signals: 

(dofn select-wave (key signals packets) 

(if (listp packets) 

(if (member key (car signals)) 

(lookup key (car signals) (car packets)) 

(select-wave key (cdr signals) (cdr packets))) 
f)) 

(defn select-packet (keys signals packets) 

(if (listp keys) 

(cons (select-wave (car keys) signals packets) 

(select-packet (cdr keys) signals packets)) 

())) 

(defn output -packet! (flag bundle mod) 

(if (equal flag 'list) 

(if (listp mod) 

(cons (output -packet! t (car bundle) (car mod)) 

(output -packet! flag (cdr bundle) (cdr mod))) 

0 ) 

(if (structuralp mod) 

(select-packet 
(outputs mod) 

(suboutputs mod) 
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(output-packet# 'list bundle (submodules mod))) 
bundle))) 

(deln output-packet (bundle module) 

(output-packet# t. bundle module)) 

;;Yext t we extract, Irom an input packet and a bundle, a list of 
;;the input packets to a module's submodules: 

(deln input -packet (ins inpacket bundle rood) 

(select-packet 

ine 

(cons (inputs mod) (suboutputs mod)) 

(cons inpacket (output-packet# 'list bundle (submodules mod))))) 

(deln input -packets (ins inpacket bundle mod) 

(il (listp ins) 

(cons (input-packet (car ins) inpacket bundle mod) 

(input-packets (cdr ins) inpacket bundle mod)) 

())) 

(deln subinput -packets (inpacket bundle mod) 

(input -packets (subinputs mod) inpacket bundle mod)) 

(deln step# (llag mod inpacket bundle time) 

(il (equal llag 'list) 

(il (listp mod) 

(cons (step# t (car mod) (car inpacket) (car bundle) time) 

(step# 'list (cdr mod) (cdr inpacket) (cdr bundle) time)) 

0 ) 

(il (structuralp mod) 

(step# 'list 

(submodules mod) 

(subinput-packets inpacket bundle mod) 

bundle 

time) 

(il (some-new-value-p inpacket time) 

(behavioral-step mod inpacket bundle time) 
bundle)))) 

(deln step (mod inpacket bundle time) 

(step# t mod inpacket bundle time)) 


. j ft*********************** **+****+*******+*♦***************+************* 
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;; SIMULATION 

; ; ************++*******+*++****************+*************+*************** 

; ;A simulation of a module is the computation of an output packet 
;; produced in response to a given input packet. We would like to allow 
; ;both packets to be infinite. Note that even when the input packet is 
;;finite, the output (of a structural module) may never stabilize, 

;;Since our implementation does not allow the explicit representation of 
;;infinite waveforms, our simulator takes a time argument (in addition 
;;to a module and input packet). The value returned is a wave 'packet 
; representing the output produced up to that time. 

;;The simulator is defined recursively in terms of STEP. In order to 
;; guarantee termination of the recursion, all events are assumed to be 
;; scheduled at times whose 2nd (delta) components are uniformly bounded 
;;by some number D, which is passed to the simulator as a 4th argument. 

;;The valid time that immediately follows a given time is computed as 
; ; follows: 

(defn tine (time d) 

(if (lessp (edr time) d) 

(cons (car time) (addl (edr time))) 

(cons (addl (car time)) 0))) 

;;We define a function that steps recursively: 

(defn walk (mod inpacket bundle start stop d) 

(if (tlessp start stop) 

(walk mod 

inpacket 

(step mod inpacket bundle (tine start d)) 

(tine start d) 

stop 

d) 

bundle) 

((ord-lessp (cons (addl (difference (addl (car stop)) (car start))) 
(difference d (edr start)))))) 

;;We make no assumptions about the waveforms initially associated with any 
; ;of the signals produced by MOD. Thus, we take each of these to be the 
;; waveform whose value is everywhere unknown: 

(defn null-bundle$ (flag mod) 
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(i f (equal flag 'list) 

(i f (listp mod) 

(cone (null-bundle$ t (car mod)) 

(null-bundle$ 'list (cdr mod))) 

0 ) 

(i f (structuralp mod) 

(null-bundle$ 'list (submodules mod)) 

(ncopies (number- of -outputs mod) (list (cons 'x (zero-time))))))) 

(defn initialize (mod inp) 

(step mod inp (null-bundle$ t mod) (zero-time))) 

(defn aim (mod inp tl d) 

(packet-history 

(output-packet 

(walk mod inp (initialize mod inp) (zero-time) tl d) mod) 
tl)) 


; ; ******************* ***************** ******************************** 
; ; DELTA CONSTRAINTS 

; ; ******************************************************************** 

;;We require that no event is ever scheduled for a time with delta 
;; component exceeding the D argument of WALK. This imposes a lower 
;; bound on D f namely, the maximum of the dlevels of the signals of MOD 
;;and its submodules: 

(defn dmin$ (flag mod env) 

(if (equal flag 'list) 

(if (listp mod) 

(max (dmin$ t (car mod) (car env)) 

(dmin$ 'list (cdr mod) (cdr env))) 

0 ) 

(if (structuralp mod) 

(max (fmaxll (dlevel$ 2 

(cons (inputs mod) (suboutputs mod)) 
mod env ())) 

(dmin$ 'list 

(submodules mod) 

(dlevel$ 2 (suboutputs mod) mod env ()))) 

(max (fmaxl env) 

(fmaxl (faddll (select-deltas (delays mod) env))))))) 
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(deln dm in (mod env) 

(dmin$ t mod anv)) 

; ;Reatrictions are similarly imposed on the 2nd and 3rd arguments ol 
; ; WALK : 

(dein bounded-delta-p (x d) 

(laq (cdr x) d)) 

(dein bounded-wavelorm-p (w d) 

(il (listp w) 

(il (listp (cdr w)) 

(and (bounded-waveform-p (cdr w) d) 

(timep (cdar w)) 

(bounded-delta-p (cdar w) d) 

(tlessp (cdadr w) (cdar w)) 

(not (equal (caadr w) (caar »)))) 

(equal (cdar w) (zero-time))) 

D) 

(deln bounded-packet-p (p dlist) 

(il (listp dlist) 

(and (listp p) 

(boundad-wavef orm-p (car p) (car dlist)) 

(bounded-packet -p (cdr p) (cdr dlist))) 

(nlistp p))) 

(deln dillerences (d 1) 

(il (listp 1) 

(cons (dillerence d (car 1)) 

(dillerences d (cdr 1))) 

())) 


(deln inpacketp (p mod env d) 

(and (leq (dmin mod env) d) 

(bounded-packet-p 

p (dillerences d (dlevel$ 1 (inputs mod) mod env ()))))) 

(deln bundlep$ (Hag bun mod env d) 

(il (equal Hag Hist) 

(il (listp mod) 

(and (bundlep$ t (car bun) (car mod) (car env) d) 

(bundlep$ 'list (cdr bun) (cdr mod) (cdr env) d)) 

(nlistp bun)) 
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(if (structuralp mod) 

(bundlep$ 'list 
bun 

(submodules mod) 

(dlevel$ 2 (suboutputs mod) mod env ()) 

d) 

(bounded-packet-p bun (differences d env))))) 

(defn buadlep (bun mod env d) 

(bundlep$ t bun mod env d)) 


; ******************★******+******************************+************ 

A FAST SIMULATOR 

; **********★*+**+***************************************************** 

(defn update-state (mod inp state time trigger) 

(if (equal time (zero-time)) 

(kill-state mod) 

(if (new-value-p (car inp) time) 

(if (equal (caar (car inp)) trigger) 

(if (and (check-clock-setup-or-hold 

(car inp) (car (setups mod))) 

( check-data-setups 

(cdr inp) time (cdr (setups mod))) 

(check-period (car inp) (period mod))) 

(next-state state (last-values (cdr inp)) mod) 
(kill-state mod)) 

(if (and (equal (caar (car inp)) (m-not trigger)) 
(check-clock-setup-or-hold 
(car inp) (car (holds mod)))) 

state 

(kill-state mod))) 

(if (and (equal (cdar (car inp)) trigger) 

(not (check-data-holds 

(cdr inp) (cdar (car inp)) 
time (cdr (holds mod))))) 

(kill-state mod) 
state))) 

((lessp (count inp)))) 

(defn fast-sequential-step (mod inp bundle time) 

(let ((state (update-state 
mod 
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(packet-history inp time) 

(cdr bundle) 
time 

(if (equal (trigger mod) 'negative-edge) *1 *t)))) 

(cons (post- events 
(cax bundle) 

'list (outputs mod) (pairlist (locals mod) state)) 

time 

(modes mod) 

(delays mod)) 
state) ) ) 

(dein last-behavioral-step (mod inp bundle time) 

(case (type mod) 

(combinational (combinational-step mod inp bundle time)) 

(sequential (last-sequential-step mod inp bundle time)) 

(otherwise 1))) 

(deln last-output-packetS (llag bundle mod) 

(il (equal llag 'list) 

(il (listp mod) 

(cons (last-output -packets t (car bundle) (car mod)) 

(last -output -packets llag (cdr bundle) (cdr mod))) 

0) 

(il (structuralp mod) 

(select-packet 
(outputs mod) 

(suboutputs mod) 

(last-output-packetS 'list bundle (submodules mod))) 

(il (sequentialp mod) 

(car bundle) 
bundle) ) ) ) 

(deln last -output -packet (bundle module) 

(last-output -packets t bundle module)) 

;;Vext, we extract, irom an input packet and a bundle, a list ol 
j j the input packets to a module's submodules: 

(deln last -input -packet (ins inpacket bundle mod) 

(select-packet 

ins 

(cons (inputs mod) (suboutputs mod)) 

(cons inpacket (last-output-packetS 'list bundle (submodules mod))))) 
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(defn fast-input -packets (ins inpacket bundle mod) 


(if (listp ins) 

(cons (fast-input -packet (car ins) inpacket bundle mod) 

(fast-input -packets (cdr ins) inpacket bundle mod)) 

())) 


(defn fast-subinput -packets (inpacket bundle mod) 

(* a * t- i»put-packets (subinputs mod) inpacket bundle mod)) 

(defn fast-step$ (flag mod inpacket bundle time) 

(if (equal flag 'list) 

(if (listp mod) 

(cons (fast-step$ t (car mod) (car inpacket) (car bundle) time) 
(fast-step$ 

'list (cdr mod) (cdr inpacket) (cdr bundle) time)) 

0) 

(if (structuralp mod) 

(fast-step$ 'list 

(submodules mod) 

(fast-subinput-packets inpacket bundle mod) 

bundle 

time) 

(if (some-new-value-p inpacket time) 

(fast-behavioral-step mod inpacket bundle time) 
bundle)))) 

(defn fast-step (mod inpacket bundle time) 

(fast-step$ t mod inpacket bundle time)) 

(defn next-wave-event (wave to) 

(if (listp wave) 

(if (tlessp to (cdar wave)) 

(if (tlessp tO (cdadr wave)) 

(next-wave-event (cdr wave) tO) 

(cdar wave)) 
f) 
f)) 


(defn ftmin (tl t2) 

(if tl 

(if (and t2 (tlessp t2 tl)) t2 tl) 
t2)) 
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(defn next-packet-event (p to) 

(if (listp p) 

(ftmin (next-wave-event (car p) to) 

(next-packet-event (cdr p) tO)) 
f)> 

(defn next -bundle-event $ (flag bun mod tO) 

(if (equal flag J list) 

(if (listp mod) 

(ftmin (next-bundle-event$ t (car bun) (car mod) tO) 

(next-bundle-event$ 'list (cdr bun) (cdr mod) tO)) 

f) 

(case (type mod) 

(structural (next-bundle-event$ 'list bun (submodules mod) tO)) 
(combinational (next -packet-event bun tO)) 

(sequential (next-packet-event (car bun) tO)) 

(otherwise f)) )) 

(defn next-event (inp fbun mod tO) 

(ftmin (next-packet-event inp tO) 

(next-bundle-event$ t fbun mod tO))) 

(prove-lemma tgreaterp-next-wave-event (rewrite) 

(implies (next-wave-event w tO) 

(tlessp tO (next-wave-event w tO))) 

((disable tlessp))) 

(prove-lemma tgreaterp-next-packet-event (rewrite) 

(implies (next-packet-event p to) 

(tlessp tO (next-packet-event p to))) 

((disable tlessp))) 

(prove-lemma tgreaterp-next-bundle-event (rewrite) 

(implies (next-bundle-event$ flag bun mod tO) 

(tlessp tO (next-bundle-event$ flag bun mod tO))) 

((disable tlessp))) 

(prove-lemma tgreaterp-next-event (rewrite) 

(implies (next-event inp bun mod to) 

(tlessp tO (next-event inp bun mod to))) 

((disable tlessp))) 

(prove-lemma fast-walk-lemma (rewrite) 

(implies (and (tlessp tO tnext) 
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(tleq tnext tl) 

(bounded-delta-p tnext d)) 

(lex-lessp (list (difference (addl (car tl)) (car tnext)) 
(difference d (cdr tnext))) 

(list (difference (addl (car tl)) (car tO)) 
(difference d (cdr to)))))) 


(disable tlessp) 

(disable next-event) 

(disable lex-lessp) 

(disable difference) 

(defn fast-walk (mod inpacket fbundle start stop d) 

(let ((tnext (next-event inpacket fbundle mod start))) 

(if tnext 

(if (bounded-delta-p tnext d) 

(if (tlessp stop tnext) 
fbundle 
(fast-walk mod 

inpacket 

(fast-step mod inpacket fbundle tnext) 
tnext 
stop 
d)) 
f) 

fbundle)) 

((ord-lessp (lex (list (difference (addl (car stop)) (car start)) 

(difference d (cdr start))))))) 


(enable tlessp) 

(enable next-event) 

(enable lex-lessp) 

/ 

(enable difference) 

(defn null-fbundle$ (flag mod) 

(if (equal flag ’list) 

(if (listp mod) 

(cons (null-fbundle$ t (car mod)) 
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(null-fbundle! 'list (cdr mod))) 

0) 

(il (structuralp mod) 

(null-fbundle! 'list (submodules mod)) 

(if (combinational? mod) 

(ncopies (number-of-outputa mod) (list (cons 'x (zero-time)))) 
(cons (ncopies (nuraber-of -outputs mod) 

(list (cons 'x (zero-time)))) 

(kill-state mod)))))) 

(dein fast-initialize (mod inp) 

(last-step mod inp (null-fbundle! t mod) (zero-time))) 

(dein extract -bundle! (flag fbun mod) 

(il (equal flag 'list) 

(il (listp mod) 

(cons (extract-bundle! t (car fbun) (car mod)) 

(extract-bundle! 'list (cdr fbun) (cdr mod))) 

0 ) 

(if (structuralp mod) 

(extract-bundle! 'list fbun (submodules mod)) 

(if (combinational? mod) 
fbun 

(car fbun))))) 

(dein extract -bundle (fbun mod) 

(extract-bundle! t fbun mod)) 

(deln last-sim (mod inp tl d) 

(packet-history 
(output -packet 
(extract-bundle 

(fast-walk mod inp (fast-initialize mod inp) (zero-time) tl d) 
mod) 
mod) 
tl)) 


j ♦****+**************++********★*******+*******************************+* 

FAST-DLEVEI4 

• *****+*$**+*******#**+***##***+****+*+*++**********+*+******+********+** 

(drill pushJL (list stack) 

(il (listp list) 


62 



(cons (cons (car list) stack) 

(push! (cdr list) stack)) 

())) 

(dein good-list (mod bad) 

(it (listp mod) 

(cons (diiierence (length (signals (car mod))) (length (car bad))) 
(good-list (cdr mod) (cdr bad))) 

())) 

(dein struct-depth$ (flag mod) 

(it (equal ilag 'list) 

(it (listp mod) 

(max (struct-depth$ t (car mod)) 

( struct -depth$ 'list (cdr mod))) 

1 ) 

(it (structuralp mod) 

(addl (struct -depth$ 'list (submodules mod))) 

1 ))) 

(dein struct-depth (mod) 

(struct-depth$ t mod)) 

(deln zero-pad (1 n) 

(it (lessp n (length 1)) 

(zero-pad (cdr 1) n) 

(it (lessp (length 1) n) 

(cons 0 (zero-pad 1 (subl n))) 

D) 

((lessp (plus (count 1) n)))) 

(prove-leoma length-zero-pad (rewrite) 

(equal (length (zero-pad 1 n) ) (fix n))) 

(dein lex-max (x y) 

(it (lex-lessp x y) y x)) 

(dein reverse (x) 

(it (listp x) 

(append (reverse (cdr x)) (list (car x))) 

())) 

(dein good-measure- 1 (in mod bad n) 

(reverse (append (list (count in) (count mod)) 
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(zero-pad (good-list rood bad) n)))) 


(defn good-measure-2 (mode in mod bad n) 

(if (equal mode 3) 

(if (listp mod) 

(lex-max (good-measure-1 (car in) (car mod) bad n) 

(good-measure-2 3 (cdr in) (cdr mod) bad n)) 

(ncopies (plus 2 n) 0)) 

(good-measure- 1 in mod bad n))) 

(defn good-measure (mode in mod bad n) 

(if (equal mode 3) 

(lex (append (good-measure-2 mode in mod bad n) (list (count mod)))) 
(lex (append (good-measure-2 mode in mod bad n) (list 0))))) 

(prove- lemma length-reverse (rewrite) 

(equal (length (reverse 1)) (length 1))) 

(defn tailp (s 1 k) 

(if (zerop k) 

(equal s 1) 

(tailp s (cdr 1) (subl k) ) ) ) 

(prove-lemma lex-lessp-reverse () 

(implies (and (lex-lessp (reverse gl) (reverse g2)) 

(tailp gl 11 k) 

(tailp g2 12 k)) 

(lex-lessp (reverse 11) (reverse 12)))) 

(prove-lemma lex-lessp-append (rewrite) 

(implies (lessp a b) 

(lex-lessp (append 1 (cons a ())) 

(append 1 (cons b ())))) 

((induct (length 1)))) 

(prove-lemma lex-lessp-reverse-good-list (rewrite) 

(implies (and (listp mod) 

(equal (type (car mod)) 'structural) 

(not (member in (car bad))) 

(member in (signals (car mod))) 

(distinct-symbols (car bad)) 

(subsetp (car bad) (signals (car mod)))) 

(lex-lessp 

(reverse 
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(good-list 

mod (cons (cons in (car bad)) (cdr bad)))) 
(reverse (good-list mod bad))))) 

(prove-lemma tailp-zero-pad () 

(implies (leq (length g) n) 

(tailp g (zero-pad g n) (difference n (length g))))) 

(prove-lemma tailp-cdr () 

(implies (and (tailp g 1 k) (listp g)) 

(tailp (cdr g) 1 (addl k)))) 

(prove-lemma length-good-list (rewrite) 

(equal (length (good-list mod bad)) (length mod))) 

(prove-lemma diff erence-subl (rewrite) 

(equal (difference (subl x) y) 

(subl (difference x y)))) 


(prove-lemma lex-lessp-reverse-zero-pad (rewrite) 

(implies (and (listp mod) 

(lessp (length mod) n) 

(equal (type (car mod)) 'structural) 

(not (member in (car bad))) 

(member in (signals (car mod))) 

(distinct-symbols (car bad)) 

(subsetp (car bad) (signals (car mod)))) 

(lex-lessp 

(reverse 

(zero-pad (good-list (cons sub mod) 

(cons () 

(cons (cons in (car bad)) 
(cdr bad)))) 


n)) 

(reverse (zero-pad (good-list mod bad) n)))) 
((use (tailp-zero-pad 

(g (good-list (cons sub mod) 

(cons () (cons (cons in (car bad)) 
(cdr bad)))))) 


(tailp-cdr 
(g (good-list 

(cons sub mod) 

(cons () (cons (cons in (car bad)) (cdr bad))))) 
(1 (zero-pad 
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(good-list 

(cons sub mod) 

(cons () (cons (cons in (car bad)) (cdr bad)))) 
n)) 

(k (subl (difference n (length mod))))) 

(lex-lessp-re verse 

(gl (good-list mod (cons (cons in (car bad)) (cdr bad)))) 
(11 (zero-pad 

(good-list 

(cons sub mod) 

(cons () (cons (cons in (car bad)) (cdr bad)))) 
n)) 

(k (difference n (length mod))) 

(g2 (good-list mod bad)) 

(12 (zero-pad (good-list mod bad) n))) 

(tailp-zero-pad (g (good-list mod bad)))) 

(disable zero-pad signals tailp))) 

(prove-lerama ord-lessp-good-measure-0 (rewrite) 

(implies (and (listp mod) 

(lessp (length mod) n) 

(equal (type (car mod)) 'structural) 

(not (member in (car bad))) 

(member in (signals (car mod))) 

(distinct-symbols (car bad)) 

(subsetp (car bad) (signals (car mod)))) 

(lex-lessp 

(good-measure- 1 
ins 

(cons sub rood) 

(cons () (cons (cons in (car bad)) (cdr bad))) n) 
(good-measure-2 0 in mod bad n))) 

((use (lex-lessp-reverse 
(gl (zero-pad 

(good-list 

(cons sub mod) 

(cons () (cons (cons in (car bad)) (cdr bad)))) 
n)) 

(11 (append (list (count ins) (count (cons sub mod))) 
(zero-pad 
(good-list 

(cons sub mod) 

(cons () (cons (cons in (car bad)) 

(cdr bad)))) 
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n))) 

(g2 (zero-pad (good-list mod bad) n)) 

(12 (append (list (count in) (count mod)) 

(zero-pad (good-list mod bad) n))) 

(k 2))) 

(disable zero-pad signals good-list reverse))) 

(prove-leama good-measure-2-open-l (rewrite) 

(implies (listp mod) 

(equal (good-measure-2 3 in mod bad n) 

(lex-max 

(good-measure-1 (car in) (car mod) bad n) 
(good-measure-2 3 (cdr in) (cdr mod) bad n))))) 

(disable good-measure-2-open-l) 

(prove-lemma good-measure-2-open-2 (rewrite) 

(implies (niistp mod) 

(equal (good-raeasure-2 3 in mod bad n) 

(ncopies (plus 2 n) 0)))) 

(disable good-measure-2-open-2) 

(prove-lemma not-ord-lessp-0 (rewrite) 

(implies (equal (length x) (fix k)) 

(not (lex-lessp x (ncopies k 0))))) 

(prove-lemma lex-lessp-append-al-a2 () 

(implies (and (not (lex-lessp al a2)) 

(lex-lessp b2 bl) 

(equal (length al) (length a2))) 

(lex-lessp (append a2 b2) (append al bl)))) 

(prove-lemma length-ncopies (rewrite) 

(equal (length (ncopies n x)) (fix n))) 

(prove-lemma not-zerop-count-cons () 

(not (zerop (count (cons (car mod) (cdr mod)))))) 

(prove-lemma count-listp () 

(implies (listp mod) (not (zerop (count mod)))) 

((use (not-zerop-count-cons)) 

(disable count-cons))) 
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(prove-lemma ncopies-plus-n-2 () 

(equal (append (ncopies n 0) '(00)) 

(ncopies (plus n 2) 0))) 

(prove-lemma assoc-plus () 

(equal (plus x y) (plus y x))) 

(prove-lema ncopies-plus-2-n () 

(aqual (appaad (acopies a 0) '(0 0)) 

(acopias (plus 2 n) 0)) 

((usa (ncopies-plus-n-2) 

(assoc-plus (x 2) (y a))))) 

(prove-lemma append-append (rewrite) 

(aqual (appaad (append a b) c) 

(append a (append b c)))) 

(disable append-append) 

(prova-lemma lex-leq-0 (rewrite) 

(implies (listp mod) 

(lex-lessp (ncopies (plus 2 n) 0) 

(good-measure-2 0 in mod bad n))) 
((use (lex-lessp-append-al-a2 

(al (reverse (zero-pad (good-list mod bad) n))) 
(a2 (ncopies n 0)) 

(bi (list (count mod) (count in))) 

(b2 (list 0 0))) 

(ncopies-plus-2-n) 

(couat-listp)) 

(enable append-append))) 

(prova-lemma lex-lessp-good-measure-3 (rewrite) 

(implies (and (listp mod) 

(lessp (length mod) n) 

(equal (type (car mod)) 'structural) 

(not (member in (car bad))) 

(member in (signals (car mod))) 
(distinct-symbols (car bad)) 

(subsetp (car bad) (signals (car mod)))) 
(lex-lessp 

(good-measure-2 

3 

ins 
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(pushl subs mod) 

(cons () (cons (cons in (car bad)) (cdr bad))) 

n) 

(good-measure-2 0 in mod bad n))) 

((disable good-measure-2 good-measure-1 signals ord-lessp count-cona) 
(enable good-measure-2-open-i good-measure-2-open-2) 

(induct (good-list subs ins)))) 

(prove-lemma lex-lessp-append-2 () 

(implies (lex-lessp al a2) 

(lex-lessp (append al bl) (append a2 b2)))) 

(prove-lemma length-append (rewrite) 

(equal (length (append a b)) 

(plus (length a) (length b)))) 

(prove-lemma length-good-measure-2 (rewrite) 

(equal (length (good-measure-2 mode in mod bad n)) 

(plus n 2))) 

(prove-lemma ord-lessp-good-measure-3 (rewrite) 

(implies (and (listp mod) 

(lessp (length mod) n) 

(equal (type (car mod)) 'structural) 

(not (member in (car bad))) 

(member in (signals (car mod))) 

(distinct-symbols (car bad)) 

(subsetp (car bad) (signals (car mod)))) 

(ord-lessp 

(good-measure 

3 

ins 

(pushl subs mod) 

(cons () (cons (cons in (car bad)) (cdr bad))) 
n) 

(good-measure 0 in mod bad n))) 

((disable good-measure-2) 

(use (lex-lessp-append-2 

(al (good-measure-2 
3 

ins 

(pushl subs mod) 

(cons () (cons (cons in (car bad)) (cdr bad))) n)) 

(a2 (good-measure-2 0 in mod bad n)) 
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(bl (list (count (pushl subs mod)))) 
(b2 (list 0)))))) 


(prove-lemma not-lex-lessp-append (rewrite) 

(implies (and (not (lex-lessp al a2) ) 

(not (lex-lessp bl b2)) 

(equal (length al) (length a2))) 

(not (lex-lessp (append al bl) (append a2 b2))))) 

(prove-lemma zero-pad-cons-0 () 

(implies (lessp (length g) n) 

(equal (zero-pad g n) 

(zero-pad (cons 0 g) n)))) 

(prove-lemma lex-lessp-lex-lessp-append (rewrite) 

(implies (and (lex-lessp a b) 

(equal (length c) (length d))) 

(lex-lessp (append a c) (append b d)))) 

(prove-lemma not-lex-lessp-reverse-zero-pad () 

(implies (and (not (lex-lessp (reverse gl) (reverse g2))) 
(equal (length gl) (length g2))) 

(not (lex-lessp (reverse (zero-pad gl n)) 

(reverse (zero-pad g2 n)))))) 

(prove-lemma zero-pad-cdr (rewrite) 

(implies (and (listp g) 

(lessp n (length g))) 

(equal (zero-pad (cdr g) n) 

(zero-pad g n)))) 

(prove-lemma lex-leq-zero-pad-cdr () 

(implies (listp g) 

(not (lex-lessp (reverse (zero-pad g n)) 

(reverse (zero-pad (cdr g) n))))) 
( (use (not-lex-lessp-reverse-zero-pad 
(gl g) (g2 ( cons 0 (cdr g)))) 

(zero-pad-cons-0 (g (cdr g)))))) 

(prove-lemma append- append- append (rewrite) 

(equal (append (append (append a b) c) d) 

(append a (append b (append c d))))) 

(disable append-append-append) 
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(prove-lemma ord-lessp-good-measure-1 (rewrite) 

(implies (listp mod) 

(ord-lessp (good-measure 1 ins (cdr mod) (cdr bad) n) 
(good-measure 0 in mod bad n))) 

((use (lex-leq-zero-pad-cdr (g (good-list mod bad))) 
(lex-lessp-append-al-a2 

(al (reverse (zero-pad (good-list mod bad) n))) 

(a2 (reverse (zero-pad (cdr (good-list mod bad)) n))) 
(bl (list (count mod) (count in) 0)) 

(b2 (list (count (cdr mod)) (count ins) 0)))) 

(enable append* append- append) 

(disable zero-pad signals))) 

(prove-lemma ord-lessp-good-measure-i (rewrite) 

(implies (and (listp in) 

(not (equal i 3)) 

(not (equal j 3))) 

(ord-lessp (good-measure i (cdr in) mod bad n) 
(good-measure j in mod bad n))) 

((use (lex-lessp-append-ai-a2 

(al (reverse (cons (count mod) 

(zero-pad (good-list mod bad) n)))) 
(a2 (reverse (cons (count mod) 

(zero-pad (good-list mod bad) n)))) 
(bl (list (count in) 0)) 

(b2 (list (count (cdr in)) 0)))) 

(enable append-append) 

(disable good-list))) 

(prove-lemma ord-lessp-good-measure-i-car (rewrite) 

(implies (and (listp in) 

(not (equal i 3)) 

(not (equal j 3))) 

(ord-lessp (good-measure i (car in) mod bad n) 
(good-measure j in mod bad n))) 

((use (lex-lessp-append-al-a2 

(al (reverse (cons (count mod) 

(zero-pad (good-list mod bad) n)))) 
(a2 (reverse (cons (count mod) 

(zero-pad (good-list mod bad) n)))) 
(bl (list (count in) 0)) 

(b2 (list (count (car in)) 0)))) 

(enable append- append) 
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(disable good-list))) 


(prove-lemma ord-lessp-trans-l (rewrite) 

(implies (and (ord-lessp b c) (ord-lessp a b)) 

(ord-lessp a c))) 

(prove-lemma length-append-good-measure-2 () 

(equal (length, (append (reverse (zero-pad (good-list x bad) n)) 

(cons (count x) (cons (count (car in)) ’(0))))) 
(length (append (good-measure-2 3 (cdr in) z bad n) 

(list (addl (plus (count x) (count z)))))))) 

(prove-lemma lex-lessp-antisymmetry () 

(not (and (lex-lessp x y) (lex-lessp y x)))) 

(prove-lemma not-lex-lessp-good-measure-2-3 () 

(implies (listp mod) 

(not (lex-lessp (good-measure-2 3 in mod bad n) 

(good-measure-2 1 (car in) (car mod) bad n)))) 
((use (lex-lessp-antisymmetry 

(x (good-measure-2 3 (cdr in) (cdr mod) bad n)) 

(y (good-measure-2 1 (car in) (car mod) bad n)))))) 

(prove-lemma length-append-good-measure-1 (rewrite) 

(equal (length (append (good-measure-l (car in) (car mod) bad n) 

'( 0 ))) 

(length (append (good-measure-2 3 in mod bad n) 

(list (count mod)))))) 

(prove-lemma ord-lessp-good-measure-1-3 (rewrite) 

(iaplies (listp mod) 

(ord-lessp (good-measure 1 (car in) (car mod) bad n) 
(good-measure 3 in mod bad n))) 

((use (lex-lessp-append-al-a2 

(al (good-measure-2 3 in mod bad n)) 

(a2 (good-measure-2 1 (car in) (car mod) bad n)) 

(bl (list (count mod))) 

0>2 ‘( 0 ))) 

(not-lex-lessp-good-measure-2-3)) 

(disable good-measure-1))) 

(prove-lemma length-good-measure- 1 (rewrite) 

(equal (length (good-measure-1 in mod bad n)) 

(plus n 2))) 
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(prove-lemma ord-lessp-good-measure-3-3 (rewrite) 

(implies (listp mod) 

(ord-lessp (good-measure 3 (cdr in) (cdr mod) bad n) 
(good-measure 3 in mod bad n))) 

((enable good-measure-2-open-l) 

(use (lex-lessp-append-al-a2 

(a2 (GOOD-MEASURE-2 3 (CDR IN) (CDR MOD) BAD N)) 

(al (good-measure-1 (car in) (car mod) bad n)) 

(b2 (list (count (cdr mod)))) 

(bl (list (count mod))))) 

(disable good-measure-2 good-measure-1))) 

(prove-lemma ordp-good-measure (rewrite) 

(ordinalp (good-measure mode in mod bad n))) 

(disable good-measure) 

(deln fast-dlevel$ (mode in mod env bad n) 

(case mode 

(0 ( if (listp mod) 

(if (and (structuralp (car mod)) 

(lessp (length mod) n)) 

(if (and (not (member in (car bad))) 

(equal (length (suboutputs (car mod))) 
(length (submodules (car mod)))) 
(member in (signals (car mod))) 
(distinct-symbols (car bad)) 

( 3 ubsetp (car bad) (signals (car mod)))) 
(fmaxll 

(cons (if (listp (cdr mod)) 

(f ast-dlevel$ 

1 

(lookup-all 

in (outputs (car mod)) (car env)) 
(cdr mod) 

(cdr env) 

(cdr bad) 
n) 

(lookup-all 

in (outputs (car mod)) (car env))) 

(f ast-dlevel$ 

3 

(lookup-inputs 
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in 

(subinput 8 (car mod)) 

(submodules (car mod))) 

(pushl (submodules (car mod)) mod) 

(push! (suboutputs (car mod)) env) 

(cons () 

(cons (cons in (car bad)) (cdr bad))) 

a))) 


f ) 


(if (listp (cdr mod)) 

(fmaxl (faddll (f ast-dlevel$ 1 
(select-deltas 

(delays (car mod)) (car env)) 
(cdr mod) 

(cdr env) 

(cdr bad) 

n))) 

(fraarl (faddll (select-deltas 

(delays (car mod)) (car env)))))) 


f)) 

(1 (if (listp in) 

(cons (f ast-dlevel$ 0 
(f ast-dlevel$ l 

())) 

(2 (if (listp in) 

(cons (f ast-dlevel$ 1 
(fast-dlevel$ 2 

())) 

(3 (if (listp mod) 

(cons (fast-dlevel$ 1 (car in) (car mod) 
(f ast-dlevel$ 3 (cdr in) (cdr mod) 

())) 

(otherwise f)) 

( (ord-lessp (good-measure mode in mod bad n)))) 


(car in) mod env bad n) 
(cdr in) mod env bad n)) 


(car in) mod env bad n) 
(cdr in) mod env bad n)) 


(car env) bad n) 
(cdr env) bad n)) 


(defn f ast-deTta-acyclic (mod) 

;det ermines whether there is any cyclic 0-delay path within HOD 
(fmazll (fast-dlevel$ 2 

(suboutputs mod) 

(list mod) 

(list (ncopies (number-of-outputs mod) 0)) 

(list ()) 

(struct-depth mod)))) 
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; J ****+**+++*++******+***************+*********************+****++**** 

;; MODULE REDUCTION 

; ; **************+***************************************************** 

;;Fuactiona that traverse structural modules will have an argument that 
; ; represents a bound on the length of the path to be traversed, in order 
;;to establish termination. For this purpose, we define a function that 
;; computes the length of the longest path through combinational 
;; components of a structure: 

(defn slevel$ (flag out mod bad) 

;(SLEVEL$ T OUT MOD ()) is the length of the longest path through 
; combinational components to OUT. MOD is assumed to be a flat 
; structure. 

(if (equal flag 'list) 

(if (listp out) 

(fmax (slevel$ t (car out) mod bad) 

(slevel$ 'list (cdr out) mod bad)) 

0 ) 

(if (or (member out (inputs mod)) 

(sequent ialp (find-submodule out mod))) 

0 

(if (and (not (member out bad)) 

(distinct-symbols bad) 

(member out (signals mod)) 

(subsetp bad (signals mod))) 

(faddl (slevel$ 'list (find-inputs out mod) mod (cons out bad))) 

f)» 

((ord-lessp (lex (list (difference (length (signals mod)) (length bad)) 

(count out)))))) 


(defn sdepth (mod) 

;the maximum length of all paths through combinational components 
(slevell 'list (signals mod) mod ())) 

;; Output delays are computed by tracing backwards to sequential 
;; outputs and global inputs: 

(defn max-delay-to-signal$ (flag out mod d) 

(if (equal flag 'list) 

(if (listp out) 

(cons (max-delay-to-signal$ t (car out) mod d) 

(max-delay-to-signal$ 'list (cdr out) mod d)) 
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()) 

(if (member out (inputs mod)) 

0 

(ii (sequentialp (iind-submodule out mod)) 

(max-delay (find-delay out mod)) 

(if (zerop d) 
f 

(plus (fmaxl (max-delay-to-signal$ 

'list (find- inputs out mod) mod (subl d))) 
(max-delay (find-delay out mod))))))) 

((ord-lessp (lex (list d (count out)))))) 


(defn fain (x y) 

(if x 
(if y 

(if (lessp x y) 
x 


y) 

x) 

y)) 


(defn fainl (1) 

(if (liatp 1) 

(fain (car 1) (fminl (cdr 1))) 

t)) 

(defn min-delay-to-signal$ (flag out mod d) 

(if (equal flag 'list) 

(if (listp out) 

(cons (min-delay-to-signal$ t (car out) mod d) 

(min-delay-to-signal$ ’list (cdr out) mod d)) 

0 ) 

(if (member out (inputs mod)) 

0 

(ii (sequentialp (find-submodule out mod)) 

(min-delay (find-delay out mod)) 

(if (zerop d) 
f 

(plus (fminl (min-delay-to-signal$ 

'list (find-inputs out mod) mod (subl d))) 
(min-delay (find-delay out mod))))))) 

((ord-lessp (lex (list d (count out)))))) 

(defn collect-delays (mod d) 
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(pairlist (min-delay-to-signal$ 'list (outputs mod) mod d) 

(max-delay-to-signal$ 'list (outputs mod) mod d))) 


;;The delay mode of an output is nondeterministic unless it is 
;;generated directly by a sequential component, in which case it 
;; inherits its mode from that component: 


(defn collect-all-modes (outs mod) 

(if (listp outs) 

(cons (if (sequentialp (find- submodule (car outs) mod)) 
(find-mode (car outs) mod) 

' nondet ermini s t i c ) 

(collect-all-raodes (cdr outs) mod)) 


())) 


(defn collect-modes (mod) 

(collect-all-modes (outputs mod) mod)) 


;; Output forms are constructed by tracing back to locals and global 
; inputs ; 

(defn subst$ (flag vals vars form) 

(if (equal flag ’list) 

(if (listp form) 

(cons (subst$ t vals vars (car form)) 

(substl 'list vals vars (cdr form))) 

0 ) 

(if (member form vars) 

(lookup form vars vals) 

(if (nlistp form) 
form 

(if (equal (car form) 'quote) 
form 

(cons (car form) (subst$ 'list vals vars (cdr form)))))))) 

(defn subst (vals vars form) 

(substl t vals vars form)) 

(defn signal-form$ (flag out mod d) 

;If D is at least the slevel of OUT, then (SIG1TAL-F0RM$ T OUT MOD D) 

; is an expression for the signal OUT in terms of the inputs of HOD and 
;the locals of its sequential components 
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(if (equal flag 'list) 

(if (liatp out) 

(cons (signal-form$ t (car out) mod d) 

(signal-form$ 'list (cdr out) mod d)) 

()) 

(if (member out (inputs mod)) 
out 

(if (sequentialp (find- submodule out mod)) 

(lookup out 

(find-outputs out mod) 

(outputs (find- submodule out mod))) 

(if (zerop d) 
f 

(subst (signal-f orm$ 'list (find-inputs out mod) mod (subl d)) 
(inputs (find- submodule out mod)) 

(lookup out 

(find- outputs out mod) 

(outputs (find- submodule out mod)))))))) 
((ord-lessp (lex (list d (count out)))))) 

(defn signal-forms (out mod d) 

(signal-form! 'list out mod d)) 

(defn collect-outputs (mod d) 

(signal -forms (outputs mod) mod d)) 


; ; If a structure is acyclic and has only combinational components, 
;;then it reduces to a combinational module: 

(defn comb-reduce (mod) 

(let ((d (sdepth mod))) 

(if d 

(list 'combinational 
(inputs mod) 

(collect-outputs mod d) 

(collect-modes mod) 

(collect-delays mod d)) 

f))) 


; ;The reduction of a sequential structure requires renaming of signals 
;;and locals in order to ensure that the locals and inputs of the 
; ; resulting module are distinct: 
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(prove-lemma lessp-quotient (rewrite) 

(implies (leq 10 n) 

(lessp (quotient n 10) n))) 

(prove-lemma lessp-remainder (rewrite) 

(implies (leq 10 n) 

(leeep (remainder n 10) n))) 

(defn number- code* (n) 

(if (leeep n 10) 

(cone (plus n 48) 0) 

(append (number-codes (quotient n 10)) 

(number-codes (remainder n 10))))) 

(defn append-number (a n) 

(pack (append (unpack a) (cons 45 (number-codes n))))) 

(defn append-number-in-list (1 n) 

(if (listp 1) 

(cone (append-number (car 1) n) 

(append-number-in-list (cdr 1) n)) 

())) 

(defn append-nuaber-in-lists (1 n) 

(if (lietp 1) 

(cone (append-number-in-list (car 1) n) 

(append-number-in-lists (cdr 1) n)) 

())) 

(defn append-number-in-term$ (flag term vars n) 

(if (equal flag 'list) 

(if (lietp term) 

(cone (append-number-in-term$ t (car term) vars n) 

(append-number- in-term$ 'list (cdr term) vars n)) 

0 ) 

(if (lietp term) 

(if (equal (car term) 'quote) 

term 

(cone (car term) 

(append-number- in-term$ 'list (cdr term) vars a))) 
(if (member term vars) 

(append -number term n) 
term)))) 
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(defn append-numbers- in-module (mod n) 

(case (type mod) 

(sequential 

(list ' sequential 

(append-number- in-list (inputs mod) n) 

(append-number- in- term! 'list (outputs mod) (locals mod) n) 
(modes mod) 

(delays mod) 

(trigger mod) 

(append-number- in- list (locals mod) n) 

( append-number- in- 1 erm$ 

'list (state mod) (append (inputs mod) (locals mod)) n) 
(period mod) 

I (setups mod) 

(bolds mod))) 

(combinational 

(list 'combinational 

(append-number-in-list (inputs mod) n) 

(append-number- in- term! 'list (outputs mod) (inputs mod) n) 
(modes mod) 

(delays mod))) 

(otherwise 1))) 

(deln append-numbers- in-submodules (mods n) 

(i t (listp mods) 

(cons (append-numbers- in-module (car mods) n) 

(append-numbers -in- submodules (cdr mods) (addl n))) 

())) 

(deln rename-structure (mod) 

(list 'structural 

(append-number- in-list (inputs mod) (length (submodules mod))) 
(append-number- in- list (outputs mod) (length (submodules mod))) 
(appsnd-nuabers- in- submodules (submodules mod) 0) 

(append-number- in- list s (subinputs mod) (length (submodules mod))) 
( append-number- in- lists 

(suboutpute mod) (length (submodules mod))))) 

; ; Setup and hold times o t sequential submodules impose constraints on 
; ;the stability ol the structure's signals: 

(deln add-max-delays (delays 1) 

(it (listp 1) 


p 


f 
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(cons (plus (max-delay (car delays)) (car 1)) 
(add-max-delays (cdr delays) (cdr 1))) 


())) 


(defn compute- a etup$ (flag in submods subins subouts mod d) 

I The period for which IN must remain stable prior to a triggering edge 
;in order not to violate the setup time of any input to a sequential 
; submodule is given by 
; (COMPUTE- SETUPS 

; T II (SUBMODULES MOD) (SUBINPUTS MOD) (SUBOUTPUTS MOD) MOD D)) 

(if (equal flag 'list) 

(if (listp in) 

(cons (compute- setup$ 

t (car in) submods subins subouts mod d) 
(compute-setup$ 

'list (cdr in) submods subins subouts mod d)) 


0 ) 


(if (listp submods) 

(if ( sequent ialp (car submods)) 

(fmax (fmaxl (lookup-all in (car subins) 

(setups (car submods)))) 

(compute-setup$ 

t in (cdr submods) (cdr subins) (cdr subouts) mod d)) 
(if (member in (car subins)) 

(if (zerop d) 
f 


(fmax (fmaxl (add-max-delays 

(delays (car submods)) 
(compute-setup$ 'list 

(car subouts) 
(submodules mod) 
(sub inputs mod) 
(suboutputs mod) 
mod 


(subl d)))) 

(compute-setup$ t in (cdr submods) (cdr sub ins) 
(cdr subouts) mod d))) 


0 )) 


(corapute-setup$ 

t in (cdr submods) (cdr subins) (cdr subouts) mod d))) 


((ord-lessp (lex (list d (count submods) (count in)))))) 


(defn compute- setups (ins mod d) 
( comput e- s e tup$ 
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'list ins (submodules rood) (subinputs mod) (suboutputs mod) mod d)) 


(d efn collect-setups (mod d) 

(compute-setups (inputs mod) mod d)) 


(dein subtract-min-delays (delays 1) 

(if (listp 1) 

(cons (difference (car 1) (min-delay (car delays))) 
(subtract -min-delays (cdr delays) (cdr 1))) 


())) 


(dein compute-hold$ (flag in subraods subins subouts mod d) 

;The period for which IN must remain stable following a triggering 
;edge in order not to violate the hold time of any input to a sequential 
; submodule is given by 
; (COMPUTE-HOLD$ 

; T IN (SUBMODULES MOD) (SUBINPUTS MOD) (SUBOUTPUTS MOD) MOD D)) 

(if (equal flag 'list) 

(if (listp in) 

(cons (compute-hold$ 

t (car in) submods subins subouts mod d) 

(compute-hold$ 

'list (cdr in) submods subins subouts mod d)) 

0 ) - — / 

(ii (listp submods) 

(if (sequentialp (car submods)) 

(fmax (fmaxl (lookup-all in (car subins) 

(holds (car submods)))) 


(compute-hold$ 

t in (cdr submods) (cdr subins) (cdr subouts) mod d)) 
(if (member in (car subins)) 

(if (zerop d) 


f 


(fmax (fmaxl (subtract-min-delays 

(delays (car submods)) 

(compute-hold$ 'list 

(car subouts) 
(submodules mod) 

(sub inputs mod) 
(suboutputs mod) 
mod 

(subl d)))) 

(compute -hold$ t in (cdr submods) (cdr sub ins) 
(cdr subouts) mod d))) 
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(compute -ho ld$ 

t ia (cdr submods) (cdr sub ins) (cdr subouts) mod d))) 

0 )) 

((ord-lassp (lex (list d (count submods) (count in)))))) 

(defn compute-holds (ins mod d) 

(compute-hold$ 

’list ins (submodules mod) (subinputs mod) (suboutputs mod) mod d)) 

(dein collect-holds (mod d) 

(compute-holds (inputs mod) mod d)) 

; Reduction of a sequential structure requires that (1) the structure is 
;;flat» (2) there are no cycles passing only through combinational 
;; components , (3) global outputs are functions of state (and not of 
;;global inputs), (4) all sequential submodules have the same trigger 
;;and are connected to the same clock, and (5) the minimum delays of the 
;;outputs of the sequential components are long enough to respect the 
; ;hold times of the sequential inputs that they feed: 

(defn check-holds (holds delays) 

(if (listp holds) 

(and (leq (car holds) (min-delay (car delays))) 

(check-holds (cdr holds) (cdr delays))) 

t)) 

(defn check-internal (mod submods subins subouts elk trigger d) 

(if (listp submods) 

(and (if (sequentialp (car submods)) 

(and (equal (trigger (car submods)) trigger) 

(equal (caar sub ins) elk) 

(check-holds (compute-holds (car subouts) mod d) 
(delays (car submods)))) 

(combinationalp (car submods))) 

(check-internal 

mod (cdr submods) (cdr subins) (cdr subouts) elk trigger d)) 

t)) 

(defn check-outputs$ (flag out mod d) 

; Global outputs are required to be functions of state 
(if (equal flag ’list) 

(if (listp out) 

(and ( check-output s$ t (car out) mod d) 

(check-output s$ 'list (cdr out) mod d)) 
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0) 

( if (member out (inputs mod)) 

f 

(il (sequentialp (find- submodule out mod)) 
t 

(if (zerop d) 
f 

(check-outputs! 'list (find- inputs out mod) mod (subl d)))))) 
((ord-lesep (lex (list d (count out)))))) 

(defn check-seq-atruct (mod trigger d) 

(end (check-outputs! ’list (outputs mod) mod d) 

(check- internal mod 

(submodules mod) 

(subinputs mod) 

(suboutputs mod) 

(car (inputs mod)) 

trigger 

d))) 

; ;The minimum clock period is bounded by the maximum of the periods of 
; ;the sequential components. It also must be long enough to allow 
;; internal signals to stabilize in order to respect setup times: 

(defn minimum-period! (submods subouts mod d) 

(if (listp submods) 

(if (aequentialp (car submods)) 

(max (max (period (car submods)) 

(fmaxl (add-raax-delays 

(delays (car submods)) 

(compute- setups (car subouts) mod d) ) ) ) 
(minimum-period! (cdr submods) (cdr subouts) mod d)) 
(minimum-period! (cdr subroods) (cdr subouts) mod d)) 

())) 

(defn minimum-period (mod d) 

(minimum-period! (submodules mod) (suboutputs mod) mod d)) 


;; State forms are constructed in the same manner as output forms, by 
;; tracing back to locals and global inputs: 

(defn collect-all-states (subins submods mod d) 
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(if (liatp submods) 

(if (sequentialp (car submods)) 

(append (subst$ 'list 

(signal-forms (car subins) mod d) 

(inputs (car submods)) 

(state (car submods))) 

(collect-all-states (cdr subins) (cdr submods) mod d)) 
(collect-all-states (cdr subins) (cdr submods) mod d)) 

())) 

(defn collect-state (mod d) 

(collect-all-states (subinputs mod) (submodules mod) mod d)) 


; ;The locals o f the reduced modules are just the union o 1 the locals of 
;;all sequential components: 

(defn collect-all-locals (submods) 

(if (listp submods) 

(if (sequentialp (car submods)) 

(append (locals (car submods)) t 

(collect-all-locals (cdr submods))) 
(collect-all-locals (cdr submods))) 

())) 


(defn collect-locals (mod) 

(collect-all-locals (submodules mod))) 


; ;Before a sequential structure is reduced, its locals and signals are 
;;renamed and its admissibility is established: 

(defn reduce-renamed-struct (mod trigger d) 

(list 1 sequential 
(inputs mod) 

(collect-outputs mod d) 

(collect-modes mod) 

(collect-delays mod d) 
trigger 

(collect-locals mod) 

(collect-state mod d) 

(minimum-period mod d) 

(collect-setups mod d) 

(collect-holds mod d))) 
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(daln seq-reduce (mod trigger) 

(let ( (d (adepts mod))) 

(i 1 (and d (check-seq-struct mod trigger d)) 

(raduca-ranamed- struct (rename-structure mod) trigger d) 

*)» 


;;A structure is reduced alter searching lor sequential components: 

(dein determine-type-ol-reduction (mod submods) 

(il (listp submods) 

(case (type (car submods)) 

(combinational (determine-type-ol-reduction mod (cdr submods))) 
(sequential (seq-reduce mod (trigger (car submods)))) 

(otherwise l)) 

(comb-raduce mod))) 

(daln raduca-8tructure (mod) 

(determine-type-ol-reduction mod (submodules mod))) 

(daln reduce-module$ (Hag mod) 

(il (equal llag 'list) 

(il (listp mod) 

(cons (rpduce-module$ t (car mod)) 

(reduce-module$ 'list (cdr mod))) 

0 ) 

(il (structuralp mod) 

(reduce-structure (list 'structural 

(inputs mod) 

(outputs mod) 

(reduce-module$ 'list (submodules mod)) 
(subinputs mod) 

(suboutputs mod))) 

mod) ) ) 

(daln reduce-module (mod) 

(reduce-module$ t mod)) 
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